Edit tour

Windows Analysis Report
ronwod.exe

Overview

General Information

Sample name:	ronwod.exe
Analysis ID:	1581561
MD5:	63ff0c8e75aa669f22e79ebf017c0aa8
SHA1:	1255d7f37e1d2d36632bd142b76d8141c47c45a3
SHA256:	e8ac8d925f9b53bb66892cbac2f38cf7c1bcc5802a79c74c6d8b54e684b66e6a
Infos:

Detection

LummaC

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ronwod.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\ronwod.exe" MD5: 63FF0C8E75AA669F22E79EBF017C0AA8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["scentniej.buzz", "inherineau.buzz", "lackadausaz.click", "cashfuzysao.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz"], "Build id": "IRiaFi--26dek1"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1699783169.000000006CDAA000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.ronwod.exe.da0000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.ronwod.exe.da0000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.ronwod.exe.6cda0000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:15:06.100680+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.198.222	443	TCP
2024-12-28T08:15:08.481125+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.198.222	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:15:07.407004+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.198.222	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:15:07.407004+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.198.222	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.ronwod.exe.da0000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["scentniej.buzz", "inherineau.buzz", "lackadausaz.click", "cashfuzysao.buzz", "hummskitnj.buzz", "screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz"], "Build id": "IRiaFi--26dek1"}

Multi AV Scanner detection for submitted file

Source: ronwod.exe	Virustotal: Detection: 45%			Perma Link
Source: ronwod.exe	ReversingLabs: Detection: 43%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.4% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lackadausaz.click
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: IRiaFi--26dek1

Source: ronwod.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.198.222:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: ronwod.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	0_2_00DDD0D9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	0_2_00DE00C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	0_2_00DAA8B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00DDD9C1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	0_2_00DACC75
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00DB90D1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_00DAC08B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	0_2_00DDB8A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DC904E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	0_2_00DDF040
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00DCB841
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00DC4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00DC4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add ecx, edi	0_2_00DCB00F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_00DDE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00DDE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00DDE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00DDE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00DDE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00DDE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00DDE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	0_2_00DDB1D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00DC91B1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	0_2_00DC6990
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00DC91B1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_00DAC158
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_00DDF150
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	0_2_00DAC942
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00DC2140
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	0_2_00DBC119
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00DB9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_00DB9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	0_2_00DB9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00DDE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00DDE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00DDE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00DC5A90
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	0_2_00DADA8B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	0_2_00DAA2A6
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_00DC8A4D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_00DC9A43
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00DC9266
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00DDEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00DDEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00DDEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DC0A20
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000960h]	0_2_00DBC3F4
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_00DDFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	0_2_00DDFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00DDDB39
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_00DE04D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	0_2_00DC4CCD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	0_2_00DC4CCD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	0_2_00DCB48C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then push eax	0_2_00DDDC5E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	0_2_00DDF450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	0_2_00DDB450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00DC3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00DC3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00DA7410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00DA7410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	0_2_00DE0400
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, 10h	0_2_00DB95FD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	0_2_00DDCDF0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	0_2_00DCD5E6
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	0_2_00DC85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_00DC85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_00DBBD8F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	0_2_00DA9570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00DCBD77
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then jmp edi	0_2_00DAA533
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	0_2_00DC6520
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00DC3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00DC3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	0_2_00DD86C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00DCBE9D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_00DB5E8C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00DCBE86
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00DA8E50
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_00DE0650
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00DC3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00DC3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00DC1E60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00DD4E60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00DCBE3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_00DC9630
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00DCC7DD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00DC9F80
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_00DDF780
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	0_2_00DB77AD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	0_2_00DB5F4C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	0_2_00DB6777
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	0_2_00DC5770
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_00DDE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00DDE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00DDE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00DDE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, 10h	0_2_00DB95FD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	0_2_00DDFF00
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00DBB729

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.198.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.198.222:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: lackadausaz.click
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.198.222:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.198.222:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lackadausaz.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: lackadausaz.click

Source: unknown

Source: ronwod.exe, 00000000.00000003.1698784366.0000000001332000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699466297.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/2
Source: ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/7z
Source: ronwod.exe, 00000000.00000003.1698784366.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699507616.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699466297.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api
Source: ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api&&(
Source: ronwod.exe, 00000000.00000003.1698784366.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699507616.0000000001347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apix

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.198.222:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00DD22E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00DD22E0

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00DD22E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00DD22E0

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00DD2AF4 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00DD2AF4

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C8346D	0_2_00C8346D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C82A83	0_2_00C82A83
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAA8B0	0_2_00DAA8B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA9C6F	0_2_00DA9C6F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB90D1	0_2_00DB90D1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCC8D0	0_2_00DCC8D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA38F0	0_2_00DA38F0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD20B0	0_2_00DD20B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC4060	0_2_00DC4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB602C	0_2_00DB602C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDE820	0_2_00DDE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDE9D0	0_2_00DDE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDB1D0	0_2_00DDB1D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAE9B0	0_2_00DAE9B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA61B0	0_2_00DA61B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC69B0	0_2_00DC69B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB51A9	0_2_00DB51A9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDF150	0_2_00DDF150
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDB940	0_2_00DDB940
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB717B	0_2_00DB717B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB8170	0_2_00DB8170
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD7170	0_2_00DD7170
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB4161	0_2_00DB4161
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD7960	0_2_00DD7960
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA9100	0_2_00DA9100
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBD900	0_2_00DBD900
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA5930	0_2_00DA5930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB9930	0_2_00DB9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDE920	0_2_00DDE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC5ACF	0_2_00DC5ACF
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC5ACF	0_2_00DC5ACF
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA82C0	0_2_00DA82C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC5A90	0_2_00DC5A90
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA42A0	0_2_00DA42A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBCAA0	0_2_00DBCAA0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB0247	0_2_00DB0247
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB5A72	0_2_00DB5A72
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAB262	0_2_00DAB262
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDEA60	0_2_00DDEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCF211	0_2_00DCF211
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC822F	0_2_00DC822F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD73D0	0_2_00DD73D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA4BE0	0_2_00DA4BE0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBE390	0_2_00DBE390
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB138A	0_2_00DB138A
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDFB10	0_2_00DDFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAEB3B	0_2_00DAEB3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD7CF0	0_2_00DD7CF0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCB48C	0_2_00DCB48C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB0C83	0_2_00DB0C83
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB64A3	0_2_00DB64A3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCCC5D	0_2_00DCCC5D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDF450	0_2_00DDF450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC3C40	0_2_00DC3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD0470	0_2_00DD0470
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA7410	0_2_00DA7410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC7C29	0_2_00DC7C29
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCF5D9	0_2_00DCF5D9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBADD0	0_2_00DBADD0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBDDC0	0_2_00DBDDC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC85E1	0_2_00DC85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC7551	0_2_00DC7551
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA9570	0_2_00DA9570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCBD77	0_2_00DCBD77
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC1570	0_2_00DC1570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD6569	0_2_00DD6569
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAF529	0_2_00DAF529
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC6520	0_2_00DC6520
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA2ED0	0_2_00DA2ED0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD5ED3	0_2_00DD5ED3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC3EC0	0_2_00DC3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD86C0	0_2_00DD86C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCDEF1	0_2_00DCDEF1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCBE9D	0_2_00DCBE9D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCC8D0	0_2_00DCC8D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB16A0	0_2_00DB16A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDB650	0_2_00DDB650
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD1E50	0_2_00DD1E50
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DA6640	0_2_00DA6640
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD8E40	0_2_00DD8E40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC3675	0_2_00DC3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCCE60	0_2_00DCCE60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDDE19	0_2_00DDDE19
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DCBE3B	0_2_00DCBE3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DC9630	0_2_00DC9630
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DAC621	0_2_00DAC621
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DD8FD9	0_2_00DD8FD9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDF780	0_2_00DDF780
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB77AD	0_2_00DB77AD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DB6777	0_2_00DB6777
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDE710	0_2_00DDE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DBB729	0_2_00DBB729

Source: C:\Users\user\Desktop\ronwod.exe	Code function: String function: 00DA7FA0 appears 46 times
Source: C:\Users\user\Desktop\ronwod.exe	Code function: String function: 00DB3CD0 appears 74 times

Source: ronwod.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00DD7CF0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_00DD7CF0

Source: ronwod.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ronwod.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ronwod.exe	Virustotal: Detection: 45%
Source: ronwod.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wsdapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wsdapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: ronwod.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00C814E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C814E0

Source: ronwod.exe

Static PE information: real checksum: 0xd10d should be: 0xd10c

Source: ronwod.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DE79FC push edi; retf	0_2_00DE79FD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DE7388 push 0843014Ch; ret	0_2_00DE739E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DE6C81 push ebp; ret	0_2_00DE6F15
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDB5B0 push eax; mov dword ptr [esp], 31A531AAh	0_2_00DDB5BE
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DE4D1C push eax; retf	0_2_00DE4D1E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DDE6B0 push eax; mov dword ptr [esp], 352E36E1h	0_2_00DDE6B3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00DE7F4B pushad ; iretd	0_2_00DE7FDD

Source: C:\Users\user\Desktop\ronwod.exe

API coverage: 6.1 %

Source: C:\Users\user\Desktop\ronwod.exe TID: 6912

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: ronwod.exe, 00000000.00000003.1698784366.0000000001332000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699466297.0000000001332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00DDCD20 LdrInitializeThunk,

0_2_00DDCD20

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00C814E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C814E0

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C813C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	0_2_00C813C9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C811A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00C811A3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C8116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_00C8116C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00C81160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00C81160

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: ronwod.exe	String found in binary or memory: inherineau.buzz
Source: ronwod.exe	String found in binary or memory: screwamusresz.buzz
Source: ronwod.exe	String found in binary or memory: rebuildeso.buzz
Source: ronwod.exe	String found in binary or memory: scentniej.buzz
Source: ronwod.exe	String found in binary or memory: lackadausaz.click
Source: ronwod.exe	String found in binary or memory: hummskitnj.buzz
Source: ronwod.exe	String found in binary or memory: prisonyfork.buzz
Source: ronwod.exe	String found in binary or memory: appliacnesot.buzz
Source: ronwod.exe	String found in binary or memory: cashfuzysao.buzz

Source: C:\Users\user\Desktop\ronwod.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 0.2.ronwod.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.6cda0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1699783169.000000006CDAA000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 0.2.ronwod.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.6cda0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1699783169.000000006CDAA000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ronwod.exe	46%	Virustotal		Browse
ronwod.exe	43%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://lackadausaz.click/api	0%	Avira URL Cloud	safe
https://lackadausaz.click/7z	0%	Avira URL Cloud	safe
https://lackadausaz.click/2	0%	Avira URL Cloud	safe
https://lackadausaz.click/apix	0%	Avira URL Cloud	safe
lackadausaz.click	0%	Avira URL Cloud	safe
https://lackadausaz.click/api&&(	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lackadausaz.click	172.67.198.222	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://lackadausaz.click/api	true	Avira URL Cloud: safe	unknown
scentniej.buzz	false		high
prisonyfork.buzz	false		high
rebuildeso.buzz	false		high
hummskitnj.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
lackadausaz.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lackadausaz.click/7z	ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/apix	ronwod.exe, 00000000.00000003.1698784366.0000000001347000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699507616.0000000001347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/2	ronwod.exe, 00000000.00000003.1698784366.0000000001332000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699466297.0000000001332000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/api&&(	ronwod.exe, 00000000.00000003.1698932276.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000002.1699547284.0000000001368000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698784366.0000000001368000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.198.222	lackadausaz.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581561
Start date and time:	2024-12-28 08:14:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ronwod.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 16 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:15:06	API Interceptor	1x Sleep call for process: ronwod.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.222
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Script.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	External2.4.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Aura.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Aura.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.198.222

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.953519512977486
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ronwod.exe
File size:	28'672 bytes
MD5:	63ff0c8e75aa669f22e79ebf017c0aa8
SHA1:	1255d7f37e1d2d36632bd142b76d8141c47c45a3
SHA256:	e8ac8d925f9b53bb66892cbac2f38cf7c1bcc5802a79c74c6d8b54e684b66e6a
SHA512:	1756b3b2bc7ceb6e65812472449b6d3986798885efe36eec4f09d84a2c02dd553be54a57d4fcadb9212017ce1e00f6eae27be295aa1544d779acfdf9337e19b3
SSDEEP:	768:iZBrjUZQBuH24LfgzBXGkd+vA4BfBs2wWwid:k1A1H24gzBXlsvWW
TLSH:	E1D22B36F506C0F4D5B0A1737556CB3AC1567E3982BBDA177F5A9A0CB552AC1E80B303
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg...............'.<...l......m4.......P....@.......................................@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40346d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x676DBF0D [Thu Dec 26 20:39:41 2024 UTC]
TLS Callbacks:	0x403c60, 0x403c10
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ec197db05918b643672a5f762a6bf67f

Entrypoint Preview

Instruction
lea ecx, dword ptr [esp+04h]
and esp, FFFFFFF0h
push dword ptr [ecx-04h]
push ebp
mov ebp, esp
push esi
push ebx
push ecx
sub esp, 000000FCh
call 00007FC024D2BFADh
mov dword ptr [ebp-1Ch], FFFEAD6Ch
mov dword ptr [ebp-20h], 0000044Ah
mov dword ptr [ebp-24h], 0000BB48h
mov dword ptr [ebp-28h], 00006C95h
mov dword ptr [ebp-2Ch], 00009E21h
mov dword ptr [ebp-30h], 00012977h
mov dword ptr [ebp-34h], FFFE882Bh
mov dword ptr [ebp-38h], 00003D3Dh
mov dword ptr [ebp-3Ch], FFFF3111h
mov dword ptr [ebp-40h], 00009E96h
mov dword ptr [ebp-7Fh], 72657645h
mov dword ptr [ebp-7Bh], 69687479h
mov dword ptr [ebp-77h], 7320676Eh
mov dword ptr [ebp-73h], 656C7974h
mov dword ptr [ebp-70h], 006F2065h
mov dword ptr [ebp-000000BAh], 6966664Fh
mov dword ptr [ebp-000000B6h], 73206563h
mov dword ptr [ebp-000000B2h], 6C756F68h
mov dword ptr [ebp-000000AEh], 6F432064h
mov dword ptr [ebp-000000AAh], 6572676Eh
mov dword ptr [ebp-000000A6h], 6D207373h
mov dword ptr [ebp-000000A2h], 0000736Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x870	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x298	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x61ac	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x91a4	0x118	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3bc4	0x3c00	d43dbcd582b2de6b24c9b54f13ec3b69	False	0.6252604166666667	data	6.308095947249623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5000	0x2c	0x200	8af2200f3d78bfef912a7a5e90b3b6d9	False	0.0703125	data	0.45553213366209966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6000	0x8e8	0xa00	fae3ccf05cc435c192297337e2b36558	False	0.305078125	data	5.178055096636522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x7000	0xb74	0xc00	e12be465000291135c76033ef2bee1bb	False	0.4000651041666667	data	4.627729876750088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x8000	0xc0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9000	0x870	0xa00	255702de46ede0f2abe227c7565d9168	False	0.3953125	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.369429268872872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xa000	0x30	0x200	b861caf0a71ba67826f7f5151137e51b	False	0.064453125	data	0.2155331448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xb000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x4e8	0x600	302acf3589069dafe3806c6220e3778b	False	0.333984375	data	4.778477168376261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xd000	0x298	0x400	7d7eb6029df6b012857b1dac513c3922	False	0.62109375	data	4.8724675758400435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__getmainargs, __initenv, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
ncrypt.dll	BCryptDuplicateHash, BCryptGenRandom, BCryptGenerateKeyPair, BCryptRemoveContextFunction, NCryptCreatePersistedKey, NCryptEnumStorageProviders, NCryptIsKeyHandle, NCryptSetProperty
winmm.dll	midiInGetErrorTextA, midiOutGetDevCapsA, mixerGetLineInfoA, mixerSetControlDetails, mmGetCurrentTask, mmioSetInfo, waveInOpen, waveInStart
wsdapi.dll	WSDCreateOutboundAttachment, WSDDetachLinkedMemory, WSDGenerateFault, WSDGenerateFaultEx, WSDGetConfigurationOption, WSDUriDecode, WSDXMLCreateContext, WSDXMLGetNameFromBuiltinNamespace
cr.dll	EMuqdKRvBcgQuKOr

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T08:15:06.100680+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.198.222	443	TCP
2024-12-28T08:15:07.407004+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.198.222	443	TCP
2024-12-28T08:15:07.407004+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.198.222	443	TCP
2024-12-28T08:15:08.481125+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.198.222	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 08:15:04.833369970 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:04.833403111 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:04.833482027 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:04.836390018 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:04.836401939 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:06.100523949 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:06.100680113 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:06.177200079 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:06.177216053 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:06.177444935 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:06.230994940 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:06.405092955 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:06.405546904 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:06.405570030 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:07.407021999 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:07.407099962 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:07.407177925 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:07.409599066 CET	49730	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:07.409612894 CET	443	49730	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:07.420790911 CET	49731	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:07.420844078 CET	443	49731	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:07.420932055 CET	49731	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:07.421909094 CET	49731	443	192.168.2.4	172.67.198.222
Dec 28, 2024 08:15:07.421927929 CET	443	49731	172.67.198.222	192.168.2.4
Dec 28, 2024 08:15:08.481125116 CET	49731	443	192.168.2.4	172.67.198.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 08:15:04.509865046 CET	55157	53	192.168.2.4	1.1.1.1
Dec 28, 2024 08:15:04.827673912 CET	53	55157	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 08:15:04.509865046 CET	192.168.2.4	1.1.1.1	0x8532	Standard query (0)	lackadausaz.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 08:15:04.827673912 CET	1.1.1.1	192.168.2.4	0x8532	No error (0)	lackadausaz.click		172.67.198.222	A (IP address)	IN (0x0001)	false
Dec 28, 2024 08:15:04.827673912 CET	1.1.1.1	192.168.2.4	0x8532	No error (0)	lackadausaz.click		104.21.92.219	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lackadausaz.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.198.222	443	6720	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:15:06 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lackadausaz.click
2024-12-28 07:15:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 07:15:07 UTC	1134	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:15:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nbnp6h3bnct0fq8amdnj2m9bq2; expires=Wed, 23 Apr 2025 01:01:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3dX9nH44p2Fnqt1HnvZ8dbz7GJafYm89sEm%2FuLVj%2FMPc0ChR5SOPRkmwCAu8PJ1KxH33AZ0dn46C6W3F%2BQpUjKxPgO%2F5GNkfWRdlQ7fPZCgm6xV5WRaTHNCGe9Y2s9INLCjYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc1df9e646a50-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1631&rtt_var=624&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1734997&cwnd=234&unsent_bytes=0&cid=e12182d3a0f3c3c0&ts=1319&x=0"
2024-12-28 07:15:07 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 07:15:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:15:03
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\ronwod.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ronwod.exe"
Imagebase:	0xc80000
File size:	28'672 bytes
MD5 hash:	63FF0C8E75AA669F22E79EBF017C0AA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1699783169.000000006CDAA000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	84.5%
Signature Coverage:	32.8%
Total number of Nodes:	58
Total number of Limit Nodes:	3

Executed Functions

Function 00C8346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EMuqdKRvBcgQuKOr.CR ref: 00C83AF6

Strings

Office should Congress most rich likely large. Church ev, xrefs: 00C835EB
ANHeIue, xrefs: 00C837C3
yZasTv, xrefs: 00C83603
hvaeczrruYw, xrefs: 00C83953
e f, xrefs: 00C835E1
rbxMMVTPRX, xrefs: 00C83A13
FIXGDzM, xrefs: 00C836F5
==, xrefs: 00C834B9
7, xrefs: 00C83840
ver, xrefs: 00C8357D
xvSnPeDynuj, xrefs: 00C83698
rwsGuyqwzAP, xrefs: 00C8373F
XJSRBDxKyaSs, xrefs: 00C8361D
cJEqBOnCxLkR, xrefs: 00C8360B
"s, xrefs: 00C8391B
ISAwZDVYrka, xrefs: 00C8394B
e o, xrefs: 00C834EA
kiwvMKnkoz, xrefs: 00C83933
Area possible always matter his vote, xrefs: 00C83613
XkzrMvTaZ, xrefs: 00C836DD
Everything style, xrefs: 00C8366F
WlLIBtD, xrefs: 00C836D5
XSKIHuymetD, xrefs: 00C837CB

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: Muqd
String ID: "s$7$==$ANHeIue$Area possible always matter his vote$Everything style$FIXGDzM$ISAwZDVYrka$Office should Congress most rich likely large. Church ev$WlLIBtD$XJSRBDxKyaSs$XSKIHuymetD$XkzrMvTaZ$cJEqBOnCxLkR$e f$e o$hvaeczrruYw$kiwvMKnkoz$rbxMMVTPRX$rwsGuyqwzAP$ver$xvSnPeDynuj$yZasTv
API String ID: 1727731889-288809459
Opcode ID: 6b74a94d99cd62af27b62309200cbc819329fbd6889359600df593770d6986a7
Instruction ID: 1892c6316b3aab48b8841f95178f59c884e810af072694e6b19192b848c313ca
Opcode Fuzzy Hash: 6b74a94d99cd62af27b62309200cbc819329fbd6889359600df593770d6986a7
Instruction Fuzzy Hash: 4822DBB1D142199FCB10CFA8D985A8EFBF0FF48304F10896AE498EB251D778AA44CF55

Function 00DACC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ehph, xrefs: 00DACF66
ChYh, xrefs: 00DACF1A
ohuh, xrefs: 00DACE54
0h+h, xrefs: 00DACE80
fhch, xrefs: 00DACE96
ph8h, xrefs: 00DACE5F
HhPh, xrefs: 00DACEEE
FhFh, xrefs: 00DACF30
<h7h, xrefs: 00DACF46
`h,h, xrefs: 00DACECD
xhdh, xrefs: 00DACE75
lackadausaz.click, xrefs: 00DAD003
uheh, xrefs: 00DACE8B
hh(h, xrefs: 00DACEC2
Kh^h, xrefs: 00DACF25
Xh h, xrefs: 00DACF3B
yhrh, xrefs: 00DACEA1
^hYh, xrefs: 00DACF0F
ehdh, xrefs: 00DACED8
RhTh, xrefs: 00DACEF9
shoh, xrefs: 00DACEAC
vh}h, xrefs: 00DACE49
Rhvh, xrefs: 00DACE6A
uhjh, xrefs: 00DACEB7

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$lackadausaz.click$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-3755386291
Opcode ID: 5f321dee109e8d0734e876d70026391a0fa03f30227dc8cd5f72a5ff2d1a1b51
Instruction ID: 8e3a3c17b60ffad50de8d2ca2412aa3f855edabc10d84f6224f70360f95fb459
Opcode Fuzzy Hash: 5f321dee109e8d0734e876d70026391a0fa03f30227dc8cd5f72a5ff2d1a1b51
Instruction Fuzzy Hash: 128122B191D3D08AD7308F29D98939BBBE2EFC2300F69496CD1C85F250EB390516CB62

Function 00DA9C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&XSX, xrefs: 00DA9D88
)XPX, xrefs: 00DA9D92
7XvX, xrefs: 00DA9DA6
%X:X, xrefs: 00DA9D9C
IX6X, xrefs: 00DA9DB0

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: 61fff7922856e6c1479058bec21ba1e185fd90b787738a0e92c4b859b68584ef
Instruction ID: 47aa028ba35821946ec92fe93663f10f043cffdcb8de7cb2267897a7cbccf5e9
Opcode Fuzzy Hash: 61fff7922856e6c1479058bec21ba1e185fd90b787738a0e92c4b859b68584ef
Instruction Fuzzy Hash: DB414673E107168BDB94CFA5CC847DAFB76EB92B00F1581AC8518EB740EB749652CB50

Function 00DAA8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j>a>, xrefs: 00DAAA0F
F>]>, xrefs: 00DAA97F
ok, xrefs: 00DAAAC3

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 9ad787c5f465706e09e88ea079fb59328f4b45e76590adf26736b347afdaba81
Instruction ID: b4692f1d2b77d419247488d08e6d0c2a3c450c612053e002516c1cc5ffcfd240
Opcode Fuzzy Hash: 9ad787c5f465706e09e88ea079fb59328f4b45e76590adf26736b347afdaba81
Instruction Fuzzy Hash: 97B1D07650C3218BD728CF19845156FBBE2EFD2700F194A2CE9D59B740D3399909CBAB

Function 00DDD0D9 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 00DDD150
9., xrefs: 00DDD200

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: 131a1e42d6fb98efe435951a0edc39c1ebb517d928741a9840d4da51c6ad47b6
Instruction ID: c3e27c1ee28344c1a010253184ade5a84c70c39ac2d18d5a7a4d3d4ec8a83241
Opcode Fuzzy Hash: 131a1e42d6fb98efe435951a0edc39c1ebb517d928741a9840d4da51c6ad47b6
Instruction Fuzzy Hash: B7412771E406216FDB04AF28CD90B26B693EBD5311F29D635D988EB3D9DA709C1087E4

Function 00DDCD20 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00DE009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00DDCD4E

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00DE00C0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 00DE0172

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 02f8f52b8359edae9a278ae1f6f772da159b53315073430a2552d94032995450
Instruction ID: 86385978f99a1c8d1a641ebb872072ef0044ea3f5a3e97db0d23fc159d623ade
Opcode Fuzzy Hash: 02f8f52b8359edae9a278ae1f6f772da159b53315073430a2552d94032995450
Instruction Fuzzy Hash: B94166709043008BC714EF55CC94A6BBBF5FF94314F18851CE9895B3A0E7B69945C7A2

Function 00DDD9C1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 00DDDA4D

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: fa65a0a9db56663c743801f49e75ed4b89d117a00931801ca4d2aed4b16ca81d
Instruction ID: 38b9a58ebbad3999689794879c09d62399df7bc89aace54c498291c290caabd0
Opcode Fuzzy Hash: fa65a0a9db56663c743801f49e75ed4b89d117a00931801ca4d2aed4b16ca81d
Instruction Fuzzy Hash: 3D410FB0A193109BDB14CF28C860B3BB6E3EFD1704F18952EE4859B394E7319C04C7A2

Function 00DA86C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00DA86E2
GetCurrentThreadId.KERNEL32 ref: 00DA86E8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00DA86F9
GetForegroundWindow.USER32 ref: 00DA87BA
ExitProcess.KERNEL32 ref: 00DA87F9

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: bea2a1ab417e9feb07424354529b7c9c20b23e0655688883eeafc42f9d7eae39
Instruction ID: 21b6863456b694e2678717552555add5428aa6d6347a3545bc1fa7cb28661eef
Opcode Fuzzy Hash: bea2a1ab417e9feb07424354529b7c9c20b23e0655688883eeafc42f9d7eae39
Instruction Fuzzy Hash: 8B217471E403005BD718BB25DC4B7A93696EFC2710F1D846AE981DF3A6EE794802C2B2

Function 00DAE6BA Relevance: 2.5, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 00DAE6BA
CoUninitialize.COMBASE ref: 00DAE6C0

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 4dc170f57f88a5dda0a54b5a7f16ff4b74cc7008d657ac7601fba32322e8751d
Instruction ID: 1ddb11ba85ec4442cacc527f532066cdb81ae5b8ec1b481e39fc6f5a202a8133
Opcode Fuzzy Hash: 4dc170f57f88a5dda0a54b5a7f16ff4b74cc7008d657ac7601fba32322e8751d
Instruction Fuzzy Hash: 94D0C976B11284CFD319EF34EDA8AA43B62B7893173198B6C9507CA768DE70A4448A60

Function 00DD6B2D Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00DD6B5E

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 663566c4e3bc37581441860e85710373969bdf74dc4ee0756f7e1f36718407ab
Instruction ID: 552eb9a18570f64941764146b9b184e48a8c1cb273b28b5ec19561c8b5f078fc
Opcode Fuzzy Hash: 663566c4e3bc37581441860e85710373969bdf74dc4ee0756f7e1f36718407ab
Instruction Fuzzy Hash: 7C11E772F156548BD718CA68CD916ED67F29FE9300F2A807AC449D7398D93C8A418661

Function 00DACC13 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00DACC25

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 790a88dc129d2936216ae0774b28ad41534b702726415ba5999e09bca84d40fe
Instruction ID: f34040b6b66b41961df5b61fcb42ef8245794e0e1b44280b9b31b05b60704377
Opcode Fuzzy Hash: 790a88dc129d2936216ae0774b28ad41534b702726415ba5999e09bca84d40fe
Instruction Fuzzy Hash: 3DE0D876BE0B043AF25D4529DC77F64215357C0B11F38C35CB3126E3DCC974A4028118

Function 00DDCE81 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00DDCE9A

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c22df728cdc644a3512d7f9943abb91655ab55a478e6f5e851bdd0ec54f7f9e2
Instruction ID: 72b442c2f04325ae1c71754903bc0c088d71d4c03847c92cb284e8b68eb50172
Opcode Fuzzy Hash: c22df728cdc644a3512d7f9943abb91655ab55a478e6f5e851bdd0ec54f7f9e2
Instruction Fuzzy Hash: 0CE08CB99403869FC700EB24FCD687577A4EF08315708442AE24ECB362EAB6E506DA30

Function 00DACBE0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00DACBF3

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5aceed856b0807a685c0db6ca0093ad1d1166268ce19ae2cecafcf8edbd76607
Instruction ID: 228d34759857c0f434886363810bfd48baf37b129d01503f7e63b1982b4252a9
Opcode Fuzzy Hash: 5aceed856b0807a685c0db6ca0093ad1d1166268ce19ae2cecafcf8edbd76607
Instruction Fuzzy Hash: 45D0A7305D03846BD254775DEC87F23375C9712729F800229F662CA7E1D9907910D6B9

Function 00DDB1A0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00DB21FC), ref: 00DDB1BE

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2bfba641ba2ed0207ac20446aa90b5748b93df9f2f2e619dc5440a6c8e17500f
Instruction ID: 511b0214e097601d4d895288bbcbee40ebb98d5273f1a7a9b43b586e88d9c995
Opcode Fuzzy Hash: 2bfba641ba2ed0207ac20446aa90b5748b93df9f2f2e619dc5440a6c8e17500f
Instruction Fuzzy Hash: A9D0C931405222EBC6102F18BC06B9A3A95DF45321F024851A404AF2B0C660EC9096B4

Function 00DDB180 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00DDF543,?,00DDF543,?,00000000,00000000,00000000,00000000), ref: 00DDB190

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5daa6a032fc2811bf13f9d320025e04b6f12131dd0e34917521b4596c118e4e3
Instruction ID: eab3416b71a991a01a05df041ba53c18be4cffce48586a5860f70d4f1d7bab9a
Opcode Fuzzy Hash: 5daa6a032fc2811bf13f9d320025e04b6f12131dd0e34917521b4596c118e4e3
Instruction Fuzzy Hash: EFC04C35045120EAC6502B14EC05B863F54EF55350F054451B404671B1C761AC41C6A4

Non-executed Functions

Function 00DC3675 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1032COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00DC36A9
GetLogicalDrives.KERNEL32 ref: 00DC3996

Strings

wY, xrefs: 00DC49EE
mm, xrefs: 00DC49DA
>>, xrefs: 00DC471A
bmdm, xrefs: 00DC3B70
pmrm, xrefs: 00DC3B3F
_p, xrefs: 00DC4A02
<, xrefs: 00DC4724
|s, xrefs: 00DC4A8E
bo, xrefs: 00DC49E4
PR, xrefs: 00DC4A48
Ys, xrefs: 00DC4A84
)mOm, xrefs: 00DC3B77
Hmkm, xrefs: 00DC3B69
ef, xrefs: 00DC4AA2
rl, xrefs: 00DC49D0
\\, xrefs: 00DC49F8
|i, xrefs: 00DC4A98
&Kt0, xrefs: 00DC42B5
45, xrefs: 00DC46DE
XH, xrefs: 00DC4A2A
AQ, xrefs: 00DC4A5C
fmkm, xrefs: 00DC3B4D
Vq, xrefs: 00DC4B78, 00DC4774, 00DC474F, 00DC4971, 00DC42C2, 00DC4579
Vq, xrefs: 00DC499E
9, xrefs: 00DC46D4
\a, xrefs: 00DC3725

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: DrivesEnvironmentExpandLogicalStrings
String ID: 9$&Kt0$)mOm$45$<$>>$AQ$Hmkm$PR$Vq$Vq$XH$Ys$\\$_p$bmdm$bo$ef$fmkm$mm$pmrm$rl$wY$|i$|s$\a
API String ID: 1595903574-2236109924
Opcode ID: 6ab8638663d83cf6758525ec9519c1e63d7df74aaf2875b0f1ad891f76c5845f
Instruction ID: dc64e0b1aff447d2189aab893387b377b831cd420377359750216633fe08892d
Opcode Fuzzy Hash: 6ab8638663d83cf6758525ec9519c1e63d7df74aaf2875b0f1ad891f76c5845f
Instruction Fuzzy Hash: 4EA296B991132A9BDB20DF18DC8979EBB71FF95300F1486E8C8596B350E7349A81CF91

Function 00DD5ED3 Relevance: 40.3, Strings: 32, Instructions: 339COMMON

Download Yara Rule

Strings

t, xrefs: 00DD60F5
t, xrefs: 00DD60D1
}, xrefs: 00DD609B
t, xrefs: 00DD605C
s, xrefs: 00DD6092
e, xrefs: 00DD6038
z, xrefs: 00DD6065
O, xrefs: 00DD6122
y, xrefs: 00DD6041
`, xrefs: 00DD6026
Y, xrefs: 00DD60FE
{, xrefs: 00DD5FF9
N, xrefs: 00DD6119
), xrefs: 00DD5ED9
X, xrefs: 00DD6107
{, xrefs: 00DD6077
t, xrefs: 00DD60C8
E, xrefs: 00DD6110
{, xrefs: 00DD6002
f, xrefs: 00DD604A
|, xrefs: 00DD60AD
d, xrefs: 00DD60A4
:, xrefs: 00DD5FD5
j, xrefs: 00DD6089
K, xrefs: 00DD5FF0
r, xrefs: 00DD602F
m, xrefs: 00DD60EC
}, xrefs: 00DD6080
|, xrefs: 00DD6014
e, xrefs: 00DD60DA
c, xrefs: 00DD60BF
s, xrefs: 00DD600B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: 8cf8c0787da75bd2759f4c5f4ba7e18480f298639ed5daa587cd3d91e0faf537
Instruction ID: b4aed009783f5c9a8c1261b18576c6bfd90128f620fc64faed26a452e72eb431
Opcode Fuzzy Hash: 8cf8c0787da75bd2759f4c5f4ba7e18480f298639ed5daa587cd3d91e0faf537
Instruction Fuzzy Hash: D3E1B835A2462986DB25CF14CC413DDB3B2FF84310F5491EDC469AB361EB388A81CB5B

Function 00DC3C40 Relevance: 39.2, APIs: 2, Strings: 20, Instructions: 663COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00DC3D59
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00DC3D99

Strings

Ys, xrefs: 00DC4A84
wY, xrefs: 00DC49EE
mm, xrefs: 00DC49DA
ef, xrefs: 00DC4AA2
>>, xrefs: 00DC471A
rl, xrefs: 00DC49D0
_p, xrefs: 00DC4A02
<, xrefs: 00DC4724
\\, xrefs: 00DC49F8
|i, xrefs: 00DC4A98
|s, xrefs: 00DC4A8E
&Kt0, xrefs: 00DC42B5
bo, xrefs: 00DC49E4
45, xrefs: 00DC46DE
XH, xrefs: 00DC4A2A
AQ, xrefs: 00DC4A5C
Vq, xrefs: 00DC499E
Vq, xrefs: 00DC4B78, 00DC4774, 00DC474F, 00DC4971, 00DC42C2, 00DC4579
PR, xrefs: 00DC4A48
9, xrefs: 00DC46D4

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 237503144-3538275056
Opcode ID: 58faea12e210575752b57f28a7324ac27cfa74d971c792cc9c3216d16de727bd
Instruction ID: c1c448de480c89d10b4a400b33ff05ea207a0008fb6c33ceea35482e403169db
Opcode Fuzzy Hash: 58faea12e210575752b57f28a7324ac27cfa74d971c792cc9c3216d16de727bd
Instruction Fuzzy Hash: 007262B990536A9BDB60DF19DC883CDBB71FB95304F108AE9C4596B390DB744A81CF82

Function 00DC3EC0 Relevance: 39.2, APIs: 1, Strings: 21, Instructions: 651COMMON

Download Yara Rule

Strings

Ys, xrefs: 00DC4A84
wY, xrefs: 00DC49EE
mm, xrefs: 00DC49DA
ef, xrefs: 00DC4AA2
>>, xrefs: 00DC471A
rl, xrefs: 00DC49D0
_p, xrefs: 00DC4A02
<, xrefs: 00DC4724
\\, xrefs: 00DC49F8
|i, xrefs: 00DC4A98
|s, xrefs: 00DC4A8E
&Kt0, xrefs: 00DC42B5
bo, xrefs: 00DC49E4
45, xrefs: 00DC46DE
XH, xrefs: 00DC4A2A
AQ, xrefs: 00DC4A5C
Vq, xrefs: 00DC499E
Vq, xrefs: 00DC4B78, 00DC4774, 00DC474F, 00DC4971, 00DC42C2, 00DC4579
PR, xrefs: 00DC4A48
9, xrefs: 00DC46D4
0b, xrefs: 00DC3F5C

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$0b$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-1097330926
Opcode ID: e0c0e7af1a4a9a8960b4030dab884b322e3768567eb90bc6bee5552fd2c34a34
Instruction ID: a214e55d43e475f52a27ce0f42db88ea771617ae8f60e74b2c6a911fdb968909
Opcode Fuzzy Hash: e0c0e7af1a4a9a8960b4030dab884b322e3768567eb90bc6bee5552fd2c34a34
Instruction Fuzzy Hash: 557251B890536A9BDB60DF59DC887CDBB71FFA5300F108AE9C4596B250DB344A81CF82

Function 00DC4060 Relevance: 37.3, APIs: 1, Strings: 20, Instructions: 581COMMON

Download Yara Rule

Strings

Ys, xrefs: 00DC4A84
wY, xrefs: 00DC49EE
mm, xrefs: 00DC49DA
ef, xrefs: 00DC4AA2
>>, xrefs: 00DC471A
rl, xrefs: 00DC49D0
_p, xrefs: 00DC4A02
<, xrefs: 00DC4724
\\, xrefs: 00DC49F8
|i, xrefs: 00DC4A98
|s, xrefs: 00DC4A8E
&Kt0, xrefs: 00DC42B5
bo, xrefs: 00DC49E4
45, xrefs: 00DC46DE
XH, xrefs: 00DC4A2A
AQ, xrefs: 00DC4A5C
Vq, xrefs: 00DC499E
Vq, xrefs: 00DC4B78, 00DC4774, 00DC474F, 00DC4971, 00DC42C2, 00DC4579
PR, xrefs: 00DC4A48
9, xrefs: 00DC46D4

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-3538275056
Opcode ID: 4f64d56b85efe20d79100c835fcd219f0a221ee598e78d566ca2302456a11a84
Instruction ID: fd8c57d0f2f8ad478e22b1ccf7584ebb2e647c7008bd42a75dfe2e7e254148fd
Opcode Fuzzy Hash: 4f64d56b85efe20d79100c835fcd219f0a221ee598e78d566ca2302456a11a84
Instruction Fuzzy Hash: 8D6231B990536A9BDB60DF19DC883CDBB71FBA5304F108AE9C4596B350DB354A81CF82

Function 00C82A83 Relevance: 31.5, Strings: 25, Instructions: 244COMMON

Download Yara Rule

Strings

KddaTVdpg, xrefs: 00C82CAB
umme, xrefs: 00C82C33
sk s, xrefs: 00C82C29
ove, xrefs: 00C82B11
Word phone traiTeacher not quickly energy their. Co, xrefs: 00C82E29
OVTeaKslizCq, xrefs: 00C82D92
LITkDS, xrefs: 00C82CB3
ject, xrefs: 00C82BDA
ch a, xrefs: 00C82BBC
Me add require car information. Floor work t, xrefs: 00C82CBB
pro, xrefs: 00C82BD0
Auth, xrefs: 00C82C01
t ta, xrefs: 00C82C1F
pply, xrefs: 00C82BC6
sea, xrefs: 00C82BE4
Concern face foreign mission. Myself, xrefs: 00C82E0E
orit, xrefs: 00C82C0B
y lo, xrefs: 00C82C15
a, xrefs: 00C82BF8
qGoWCeyAc, xrefs: 00C82CCD
er., xrefs: 00C82C3D
Spee, xrefs: 00C82BB2
son , xrefs: 00C82BEE
lZnTSoH, xrefs: 00C82E06
f p, xrefs: 00C82CA1

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID:
String ID: pro$ sea$Auth$Concern face foreign mission. Myself$KddaTVdpg$LITkDS$Me add require car information. Floor work t$OVTeaKslizCq$Spee$Word phone traiTeacher not quickly energy their. Co$a$ch a$er.$f p$ject$lZnTSoH$orit$ove$pply$qGoWCeyAc$sk s$son $t ta$umme$y lo
API String ID: 0-347408702
Opcode ID: 92945c2ee717319626a833622e887e2cb89f93c9b164db97dfb2c274b020162d
Instruction ID: 774feb9908b98c5bf2bef1d0b7f0e8076187354dc532daeb6f013dbe138cf1f1
Opcode Fuzzy Hash: 92945c2ee717319626a833622e887e2cb89f93c9b164db97dfb2c274b020162d
Instruction Fuzzy Hash: 2DE1ACB0E0421ACFCB60CFA9C985BDEBBF0BF48304F108599E458AB255D3749A85CF59

Function 00DD7CF0 Relevance: 26.8, APIs: 10, Strings: 5, Instructions: 574memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00DE268C,00000000,00000001,00DE267C,00000000), ref: 00DD7E10
SysAllocString.OLEAUT32([d), ref: 00DD7E93
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00DD7ED1
SysAllocString.OLEAUT32(!,.,), ref: 00DD7F2F
SysAllocString.OLEAUT32(B6ABB756), ref: 00DD7FEF
VariantInit.OLEAUT32(?), ref: 00DD805E
VariantClear.OLEAUT32(?), ref: 00DD81B1
SysFreeString.OLEAUT32 ref: 00DD81D4
SysFreeString.OLEAUT32(?), ref: 00DD81DA
SysFreeString.OLEAUT32(00000000), ref: 00DD81EE

Strings

,,Y,, xrefs: 00DD7EE7
W;, xrefs: 00DD7D37
\, xrefs: 00DD7DCA
C, xrefs: 00DD7DBF
[d, xrefs: 00DD7D7C

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: ,,Y,$C$W;$[d$\
API String ID: 2485776651-2867424240
Opcode ID: 3b60d713b9b9be0288f9b53270a0fe72fa1aefdaf475bc0a5ee4d45d8acbfb35
Instruction ID: e3eca01f89c88f7eb12cdec008b5445974ec74e8ce61321e78f6e3bafdfed1f6
Opcode Fuzzy Hash: 3b60d713b9b9be0288f9b53270a0fe72fa1aefdaf475bc0a5ee4d45d8acbfb35
Instruction Fuzzy Hash: B002A9766083009BD710DF64CC85B6BBBE5EFC5710F18882EE595DB3A0DB74E8058B62

Function 00DB77AD Relevance: 23.5, APIs: 3, Strings: 10, Instructions: 788COMMON

Download Yara Rule

Strings

Jc1t, xrefs: 00DB7D1E, 00DB7886, 00DB78A2, 00DB7913, 00DB7962, 00DB7D27
"f&f, xrefs: 00DB7CB5
Jc1t, xrefs: 00DB77D0
=f!f, xrefs: 00DB7CBD
)fvf, xrefs: 00DB7CDD
,f4f, xrefs: 00DB7CD5
{fGf, xrefs: 00DB7CF6
=f(f, xrefs: 00DB7CC5
21, xrefs: 00DB786B
Pf6f, xrefs: 00DB7CCD

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "f&f$)fvf$,f4f$21$=f!f$=f(f$Jc1t$Jc1t$Pf6f${fGf
API String ID: 0-2638289701
Opcode ID: a9fb51a28b7d888b523c512568f91f0c81420d4aa0b564fc4f4d9829096e879d
Instruction ID: 00900125a09fe2b6d661cca651fe962ebff0aea65d5c43056cd16ebb71b5790f
Opcode Fuzzy Hash: a9fb51a28b7d888b523c512568f91f0c81420d4aa0b564fc4f4d9829096e879d
Instruction Fuzzy Hash: 7D42F372508351CBD724CF28C8906ABB7E1EFC9354F19492DE8CA9B360EB349951CB66

Function 00C8116C Relevance: 19.7, APIs: 13, Instructions: 202sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00C811B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C81238
__p__acmdln.MSVCRT ref: 00C81261
malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344
GetStartupInfoA.KERNEL32 ref: 00C81433

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 15ef8bdc2bcdda15b20bcd4c66ab95a869d344dae5b162a0beb24b6a583dd3a6
Instruction ID: 4f2a335d5a85df8445be53bfe363622874ab60291741663f4dbb1e5f5d94bcf1
Opcode Fuzzy Hash: 15ef8bdc2bcdda15b20bcd4c66ab95a869d344dae5b162a0beb24b6a583dd3a6
Instruction Fuzzy Hash: 8481BBB0908301CFDB10FF64E88436E7BE4FB44308F58482DD9959B211DB75A94EDB9A

Function 00DBE390 Relevance: 18.3, Strings: 14, Instructions: 821COMMON

Download Yara Rule

Strings

%b*], xrefs: 00DBE6BA
#J+Y, xrefs: 00DBE732
<[&^, xrefs: 00DBE6DA
3?Uq, xrefs: 00DBE6F2
?g3q, xrefs: 00DBE75A
A:v], xrefs: 00DBE6CA
5a|u, xrefs: 00DBE6FA
'O'O, xrefs: 00DBEABD
>, xrefs: 00DBE72A
^*a, xrefs: 00DBE6D2
2O#O, xrefs: 00DBEAC5
sy:K, xrefs: 00DBE712
Y?q?, xrefs: 00DBE791
7:n\, xrefs: 00DBE877

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: f30c7a091bb807f8d94686f6f2ba6d1d027dce138f4dd77d96f13ab9b6b1b3fc
Instruction ID: cb521c37120cccd03a60af5c59b171ad6b1742faf4ccc2095793c19c640b53cd
Opcode Fuzzy Hash: f30c7a091bb807f8d94686f6f2ba6d1d027dce138f4dd77d96f13ab9b6b1b3fc
Instruction Fuzzy Hash: BE524870908391CFC724DF24C8507EABBE1EF96314F188A6DE4D69B392D7758905CBA2

Function 00DC0A20 Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

O30, xrefs: 00DC0B18
*, xrefs: 00DC0EBB
d3f3, xrefs: 00DC0AC0
#3#3, xrefs: 00DC0AE8
k3l3, xrefs: 00DC0AD0
#3=3, xrefs: 00DC0AF8
83R3, xrefs: 00DC0AD8
'3!3, xrefs: 00DC0AF0
i3_3, xrefs: 00DC0AC8
83F3, xrefs: 00DC0B08
:3 3, xrefs: 00DC0AE0
J3L3, xrefs: 00DC0B10
93=3, xrefs: 00DC0B00

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 007a222a4d30ebe3fcb659bd29ad53017b7c2aacf1e70c33dad1c1af2c7a38df
Instruction ID: c180860887c8c16ad559e0de423c4e5d2472b2bf00220597c168a189eebc67fd
Opcode Fuzzy Hash: 007a222a4d30ebe3fcb659bd29ad53017b7c2aacf1e70c33dad1c1af2c7a38df
Instruction Fuzzy Hash: DAB1BFB1518311CBC724DF28C856B6BBBF1FFD1354F188A1CE4968B290E7749944CBA2

Function 00DC85E1 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00DC860A

Strings

wJbJ, xrefs: 00DC8912
bJSJ, xrefs: 00DC89D9
tJdJ, xrefs: 00DC8932
J, xrefs: 00DC893A
cJwJ, xrefs: 00DC891A
rJnJ, xrefs: 00DC892A
,J^J, xrefs: 00DC8922

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 237503144-492521606
Opcode ID: bf056b9b3d85e393b7661f3247d1b3f95c5477f8e16ea9c460540aeec158bef8
Instruction ID: a7173ed8e5b6228482f86f062a8771ce6ca1849199f9dab6b788f274ac15d0bd
Opcode Fuzzy Hash: bf056b9b3d85e393b7661f3247d1b3f95c5477f8e16ea9c460540aeec158bef8
Instruction Fuzzy Hash: 5AA1D172908312CBD724CF54C850AABB3F2FFC0354F09892CE99A9B250EB74D905DB96

Function 00DB0247 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 700COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00DB04C9
RtlExpandEnvironmentStrings.NTDLL ref: 00DB05C0

Strings

f@, xrefs: 00DB09E4
i, xrefs: 00DB09EE
$, xrefs: 00DB0985
X@, xrefs: 00DB0916
<., xrefs: 00DB088E

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $$<.$X@$f@$i
API String ID: 237503144-92190101
Opcode ID: 204a8f8b0dd62dc2d785dc2e026a3f8a55f48a0f79f191c346fc16444c0c1d8a
Instruction ID: c51d67bc61d8398832585cbbbe515976b82e28fe43a31f5c05cc8cfca6596376
Opcode Fuzzy Hash: 204a8f8b0dd62dc2d785dc2e026a3f8a55f48a0f79f191c346fc16444c0c1d8a
Instruction Fuzzy Hash: 9B525275A187508FC7649F38C4913EFBBE1AF85320F154A2EE8EA873D1D77489418B62

Function 00DD6569 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

|, xrefs: 00DD658A
A|, xrefs: 00DD65DB
<, xrefs: 00DD6739
Y|, xrefs: 00DD6593
?|, xrefs: 00DD6674
3), xrefs: 00DD6896
H|, xrefs: 00DD661A
0, xrefs: 00DD6886
>, xrefs: 00DD6742
L|, xrefs: 00DD65F6

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: 1be27c443668796f2eca7e93d9fd6dce6797ba104f40e7af84e2d1a6ed284b1d
Instruction ID: 72a53036f53cbb8b59895fbbc0924bbb95c8d97161585dbec6a67165dbf49fcc
Opcode Fuzzy Hash: 1be27c443668796f2eca7e93d9fd6dce6797ba104f40e7af84e2d1a6ed284b1d
Instruction Fuzzy Hash: ACC1E431D1426886DB24CF69CC507DDB3B2EF40314F1591EAC859AB3A4E7344E86CB9A

Function 00C814E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00C814F0
LoadLibraryA.KERNEL32 ref: 00C81506
GetProcAddress.KERNEL32 ref: 00C81525
GetProcAddress.KERNEL32 ref: 00C81537

Strings

__deregister_frame_info, xrefs: 00C8152C
__register_frame_info, xrefs: 00C8151A
libgcc_s_dw2-1.dll, xrefs: 00C814E9, 00C814FF

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 60073006f2e93a03b7892995d5efdb2e58d4d7e60f72b80aed105d65f1d73e45
Instruction ID: 9b5477d5bd316bb805b959ecdbb812d6f0d5b72b6db6320927455cb794e653b4
Opcode Fuzzy Hash: 60073006f2e93a03b7892995d5efdb2e58d4d7e60f72b80aed105d65f1d73e45
Instruction Fuzzy Hash: 0D0144F18082049BC7107F79A94D35E7FF8EB81358F05456DD98997211E7748448DB9F

Function 00C813C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00C81238
__p__acmdln.MSVCRT ref: 00C81261
malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344
_amsg_exit.MSVCRT ref: 00C813EA
_initterm.MSVCRT ref: 00C8140C

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 445a4fec0e4bea682ca8121c44119ad1505e423f9a95d543e0f7fe6add6ef4b2
Instruction ID: 41a47520ffb4d03560c3ed580dd1e0312f0d984432e4679cc30ff47e4ab42e81
Opcode Fuzzy Hash: 445a4fec0e4bea682ca8121c44119ad1505e423f9a95d543e0f7fe6add6ef4b2
Instruction Fuzzy Hash: 654145B0A083028FDB14FF68E88436DBBE0FB44308F54492DD9959B311DB74A949DB5A

Function 00DBCAA0 Relevance: 11.8, Strings: 9, Instructions: 564COMMON

Download Yara Rule

Strings

*, xrefs: 00DBD128
=_, xrefs: 00DBD054
8!?!, xrefs: 00DBCB5E
(!T!, xrefs: 00DBCB6E
pdvd, xrefs: 00DBCCD3
|jsj, xrefs: 00DBCEA0
8!(!, xrefs: 00DBCB4E
2!0!, xrefs: 00DBCB46
ejuj, xrefs: 00DBCEB8

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: (!T!$*$2!0!$8!(!$8!?!$=_$ejuj$pdvd$|jsj
API String ID: 0-157059723
Opcode ID: b6f130a68dbc5659bf791ae0f49e93641560ff5307fa7ddc8a211c37b056e987
Instruction ID: c51e9e9b4ecda7c498198c7bf68322c9729d7dfd865bff9d7e34b23668a53033
Opcode Fuzzy Hash: b6f130a68dbc5659bf791ae0f49e93641560ff5307fa7ddc8a211c37b056e987
Instruction Fuzzy Hash: 3C02DEB291C310DBC7049F15D8826ABB7F2FF95354F08982CF58A8B351E735DA058BA6

Function 00DC8A4D Relevance: 11.6, Strings: 9, Instructions: 394COMMON

Download Yara Rule

Strings

wJbJ, xrefs: 00DC8912
bJSJ, xrefs: 00DC89D9
Uqmq, xrefs: 00DC8ADE
tJdJ, xrefs: 00DC8932
J, xrefs: 00DC893A
cJwJ, xrefs: 00DC891A
oq|q, xrefs: 00DC8B36
rJnJ, xrefs: 00DC892A
,J^J, xrefs: 00DC8922

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: J$,J^J$Uqmq$bJSJ$cJwJ$oq|q$rJnJ$tJdJ$wJbJ
API String ID: 0-594100160
Opcode ID: 72af1245035110ba7eb7cdc4550bd166da26a6aaa7636ccc3e29c5959b857a12
Instruction ID: e6d9f0f341ca3d4d189505703ea3bc44f14b094cd046076b5fe0b97d59e25aec
Opcode Fuzzy Hash: 72af1245035110ba7eb7cdc4550bd166da26a6aaa7636ccc3e29c5959b857a12
Instruction Fuzzy Hash: E6C1CFB15083028BC714DF54D861B6BB3B2FFC1350F08892CE4858B3A4FB749A54DB6A

Function 00DB16A0 Relevance: 11.1, APIs: 3, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

&8, xrefs: 00DB19C3
`, xrefs: 00DB25BC

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 9bc031c60d14104d4348bc0935ad4d8fae7a44a4b7e82d9ea876acbc35f7f28e
Instruction ID: d357f2d47808b527e579b8a4f87ed38e11f894f10f7d40ca202662bd88015e1f
Opcode Fuzzy Hash: 9bc031c60d14104d4348bc0935ad4d8fae7a44a4b7e82d9ea876acbc35f7f28e
Instruction Fuzzy Hash: A813D276D14214CBDB14DF78C8813EEBBF1AF45310F1586A9D89AAB391E7348D41CBA2

Function 00C811A3 Relevance: 10.6, APIs: 7, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00C811B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C81238
__p__acmdln.MSVCRT ref: 00C81261
malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344
_amsg_exit.MSVCRT ref: 00C813EA
_initterm.MSVCRT ref: 00C8140C

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 129f987374dbfe0e479f2212d3ad24bb06521e8957f4d262248aed6ce5e8b77d
Instruction ID: 5fcd1894b02d0d182fe18c54167a31a5fbe8393ce2f810adb7c5f5e59c24a46c
Opcode Fuzzy Hash: 129f987374dbfe0e479f2212d3ad24bb06521e8957f4d262248aed6ce5e8b77d
Instruction Fuzzy Hash: 724169B0A043018FDB10EF68E88436DBBF4FB44308F54442DD8559B720DB70A949DB9A

Function 00C81160 Relevance: 9.1, APIs: 6, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00C811B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C81238
__p__acmdln.MSVCRT ref: 00C81261
malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344
GetStartupInfoA.KERNEL32 ref: 00C81433

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 8fd06c3f95d0970d543765678dd968a2aff6142ccf0306055f7efdeb3cb3dd4e
Instruction ID: 34e7be3c5b8ea5aea94c106648bd4266b1ca51417364bae75d8862c228c01c2e
Opcode Fuzzy Hash: 8fd06c3f95d0970d543765678dd968a2aff6142ccf0306055f7efdeb3cb3dd4e
Instruction Fuzzy Hash: A451ADB1A04301CFDB10EF68E88476EBBF4FB48308F58452CE9559B321DB70A909DB99

Function 00DD22E0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DD22F0
GetClipboardData.USER32 ref: 00DD230B
GlobalLock.KERNEL32 ref: 00DD232A
CloseClipboard.USER32 ref: 00DD243D

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 21bc4109864cf8c54a463eb7655d939313bca413cf6a7d6986b198bf6951da30
Instruction ID: 869701716f528cd043fa20d27917ce3b36c3da6a8d902283698c5a4fd62c1f23
Opcode Fuzzy Hash: 21bc4109864cf8c54a463eb7655d939313bca413cf6a7d6986b198bf6951da30
Instruction Fuzzy Hash: D0313871548355CFD300BFA8958537EBBF4EFA4310F15082EE8C68A321D6798A8997A3

Function 00DADA8B Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

6"", xrefs: 00DADEB1
"", xrefs: 00DADE91
D, xrefs: 00DADD75
"", xrefs: 00DADE61
d"P", xrefs: 00DADE49
p"F", xrefs: 00DADE11

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: 7afc122fe0fe9767a21e61a8820e0eadc5a5035476c08a59471e2cfb6c5d3bbd
Instruction ID: ee6a8ead7f90d0ac176c4f93741c1e9e3e7be6f38aa82935da1afe8757647a2a
Opcode Fuzzy Hash: 7afc122fe0fe9767a21e61a8820e0eadc5a5035476c08a59471e2cfb6c5d3bbd
Instruction Fuzzy Hash: 5FB1D1B04093829BE728CF81CA9476BBBF1FF85748F504A8CE5951B290D3F58648DF96

Function 00DC5770 Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

c2o2, xrefs: 00DC59BB
m2?2, xrefs: 00DC59AB
}2q2, xrefs: 00DC5983
M2x2, xrefs: 00DC59B3
u202, xrefs: 00DC598B
o2x2, xrefs: 00DC5993

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction ID: a2578b42af85cae07f6a8303d44c58776876ee5e336b42acfe3565b7b87b0e82
Opcode Fuzzy Hash: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction Fuzzy Hash: FE612EB18087518BC720CF04D981B6BB7F1FFC1324F08896CE8814B398EB759A44CBA6

Function 00DC6990 Relevance: 7.6, Strings: 6, Instructions: 104COMMON

Download Yara Rule

Strings

%M)M, xrefs: 00DC7198
4M:M, xrefs: 00DC71AE
MM, xrefs: 00DC710C
)M-M, xrefs: 00DC712A
>M5M, xrefs: 00DC718D
-M M, xrefs: 00DC71C4

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: c116fc93adddcf5a7d3eb31cf208a778ee66ed9508de48742a9460df2605e97e
Instruction ID: 1dd4dd2622a9dfbe0edd8a65cb38b46bd5029c19c4857bf2fa30dac6209b7c0a
Opcode Fuzzy Hash: c116fc93adddcf5a7d3eb31cf208a778ee66ed9508de48742a9460df2605e97e
Instruction Fuzzy Hash: FE41A9B061C3808AD2249F24E841BABBBB5FFC1354F1A482CE4C89B215E7368545CF2B

Function 00DAF529 Relevance: 7.1, Strings: 5, Instructions: 860COMMON

Download Yara Rule

Strings

+, xrefs: 00DAFE16
EN, xrefs: 00DAF982
", xrefs: 00DAF8AB
Vr, xrefs: 00DAF58B
L, xrefs: 00DAFC97

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "$+$EN$L$Vr
API String ID: 0-3667360776
Opcode ID: 19313966057ae06f281f08be96ff0db0eb69fff0ec279ff484d4d25442c8ef06
Instruction ID: 19693317925134453adbb0701347d608b850f3fdb4f95f4149fe2886af8d05bf
Opcode Fuzzy Hash: 19313966057ae06f281f08be96ff0db0eb69fff0ec279ff484d4d25442c8ef06
Instruction Fuzzy Hash: 677270765087408BD3289F78C4953AFBBE1AF85320F154A2EE9EAC73D1D77989408763

Function 00DB9930 Relevance: 6.8, APIs: 2, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

APIs

Part of subcall function 00DDCD20: LdrInitializeThunk.NTDLL(00DE009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00DDCD4E

FreeLibrary.KERNEL32(?), ref: 00DBA030
FreeLibrary.KERNEL32(?), ref: 00DBA0CE

Strings

Fn@n, xrefs: 00DB9D65

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Fn@n
API String ID: 764372645-2265005453
Opcode ID: 7ac020aebc0915383cae156f44eb724ab4af03ef37b446a5541e1e1cc10391e0
Instruction ID: 9c6aa6b286c2a6f34011b584de582cde0538b7b50d5f6d8da06d521a21af0466
Opcode Fuzzy Hash: 7ac020aebc0915383cae156f44eb724ab4af03ef37b446a5541e1e1cc10391e0
Instruction Fuzzy Hash: 0CA203766083519FD720DF28C8907AAF7E2BFD4300F19482CE9D697391E7B29945C7A2

Function 00DB51A9 Relevance: 6.7, Strings: 5, Instructions: 496COMMON

Download Yara Rule

Strings

sG, xrefs: 00DB5596
_KT!, xrefs: 00DB54A6
@U, xrefs: 00DB5578
C!ZZ, xrefs: 00DB547A
L4, xrefs: 00DB57E0

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: C!ZZ$_KT!$@U$sG$L4
API String ID: 0-1645361861
Opcode ID: 1bb2f5c5c2ba786d281751f2a714b8ced0ac823658b8e65bd0d603eb55dacd32
Instruction ID: da690478ea65c1ca89df08c897ae6d9e584f279d9f11b79341ece202626312db
Opcode Fuzzy Hash: 1bb2f5c5c2ba786d281751f2a714b8ced0ac823658b8e65bd0d603eb55dacd32
Instruction Fuzzy Hash: A0E12576618740DFC7249F24E8917ABB3E6EFC5314F19492CE4CACB3A4EB7188508762

Function 00DB90D1 Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

7S>S, xrefs: 00DB92C8
LSES, xrefs: 00DB90F4
SS, xrefs: 00DB9254
MR, xrefs: 00DB926A
FS;S, xrefs: 00DB90FF

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7S>S$FS;S$LSES$MR$SS
API String ID: 0-2954923458
Opcode ID: 3a2a090681c09fb53ad941abe6c51b264505d437a3f815f080947c2566beda6a
Instruction ID: 5122ab4144aafe1a549fecdfddd77851b343b461d496b5fdfcf26aae584ef45f
Opcode Fuzzy Hash: 3a2a090681c09fb53ad941abe6c51b264505d437a3f815f080947c2566beda6a
Instruction Fuzzy Hash: BDB159B1909391CBD3318F15C4A17EBF7E2EF86704F58992CD4CA8B250EBB48542CB96

Function 00DB8170 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00DB84AC

Strings

S-#9, xrefs: 00DB8929, 00DB8975

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: S-#9
API String ID: 237503144-700798346
Opcode ID: 3aff7900c3964cc9d920d0519aaebffac1ba3c4a3dd87f0f3ada6ab98a7f696c
Instruction ID: a7873b596d1f03354e1f4aa95fb5d051897bcce60192b571131a114ecb6de6b8
Opcode Fuzzy Hash: 3aff7900c3964cc9d920d0519aaebffac1ba3c4a3dd87f0f3ada6ab98a7f696c
Instruction Fuzzy Hash: 2CE1E676A047128BC724CF28C8816ABB7E6EFD4314F19892DE8C9DB364EB38C941C751

Function 00DC1570 Relevance: 5.6, Strings: 4, Instructions: 586COMMON

Download Yara Rule

Strings

,, xrefs: 00DC1B60
H, xrefs: 00DC1859
!@, xrefs: 00DC15A3
H, xrefs: 00DC1863

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$H$H
API String ID: 383220839-4170808191
Opcode ID: 964dec0acd6f97d2f40fe9418c004df0b0c711bcffa48a63c3ddb8b8dbc90542
Instruction ID: d7f4e80baf38f18005908e4cd55021658897426ce5ff87ed4ae050481cddcf0b
Opcode Fuzzy Hash: 964dec0acd6f97d2f40fe9418c004df0b0c711bcffa48a63c3ddb8b8dbc90542
Instruction Fuzzy Hash: 2532E0756083618FD3289F28C4917AFF7E2EF86310F19892DE4D987392E7798841CB52

Function 00DD2AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00DD2B27
GetSystemMetrics.USER32 ref: 00DD2B36

Strings

, xrefs: 00DD2BE4

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: bf3c032b931acc60b6c41011f04ebbff4994b9ccd71f07e3eabcdea932305731
Instruction ID: 5317eb1feaa01920f22db523a2e7941c8caf6c6121c615d3427c0e0900a32f3a
Opcode Fuzzy Hash: bf3c032b931acc60b6c41011f04ebbff4994b9ccd71f07e3eabcdea932305731
Instruction Fuzzy Hash: AA31A2B09143548FDB00EF68D98465EBBF4BF88304F01852EE998DB360D7B4A958CF92

Function 00DAEB3B Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 00DAEB49

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: 99d3c072bad2d47af32d6a48d3259e869eb8dffeb59c4f9069af93c1919d6540
Instruction ID: 470fe520cf257074dbab211279f5210ada49e7409d11042516391eab5c197b10
Opcode Fuzzy Hash: 99d3c072bad2d47af32d6a48d3259e869eb8dffeb59c4f9069af93c1919d6540
Instruction Fuzzy Hash: 3142B075A187508BD324DF78C4913AFB7E1EF89310F158A2EE8D987391E77889418B63

Function 00DC6520 Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

l'Y9, xrefs: 00DC6913
X`X*, xrefs: 00DC691B
{$[7, xrefs: 00DC6936

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: X`X*$l'Y9${$[7
API String ID: 2994545307-1509796914
Opcode ID: 14266878b848d6daa0aed9bc57cad04c011b84e6062ec0194c5ee640a8a8c2a5
Instruction ID: 471b358be64e4265053e2e4bcdefda32c2a37ac5bad9b973c7df72d9914155da
Opcode Fuzzy Hash: 14266878b848d6daa0aed9bc57cad04c011b84e6062ec0194c5ee640a8a8c2a5
Instruction Fuzzy Hash: 10B14972A143169BEB24CF14C841BABB3A2EFD5304F19852CE8859B395E335ED09C7B1

Function 00DA9570 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

pid, xrefs: 00DA9628
bC, xrefs: 00DA99A3
mX, xrefs: 00DA95E3

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: bC$mX$pid
API String ID: 0-825546773
Opcode ID: ccfe5201a347801904cbc6d15add8fcb7bd2c6a9c59cad0cde4077b6a8e21e03
Instruction ID: 968f5a368f7af0b1558e15702f3cdc7e414bf730c1b6380377116ae7bbd462c6
Opcode Fuzzy Hash: ccfe5201a347801904cbc6d15add8fcb7bd2c6a9c59cad0cde4077b6a8e21e03
Instruction Fuzzy Hash: 0EC124B19183008BD328CF24C8516AFFBE5FF85304F19592DE5AADB260E735D508CBA6

Function 00DB0C83 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00DB0E57

Strings

zI, xrefs: 00DB1121

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: zI
API String ID: 237503144-2601089719
Opcode ID: aa8e5d1015712f5f78314e4018fa4ccf7949c4f20fea36c40e9047f1c336dc47
Instruction ID: 45a67165139fa67835012e5c598abf92f6c76528494944dbd1f16293038ced41
Opcode Fuzzy Hash: aa8e5d1015712f5f78314e4018fa4ccf7949c4f20fea36c40e9047f1c336dc47
Instruction Fuzzy Hash: A012B575A197508BC7689F38C5913EFBBE1AF85320F158A2DE8EAC73D1DB3485408762

Function 00DA4BE0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

8, xrefs: 00DA5516
0, xrefs: 00DA551E

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: c6fa4c34ceac7447ec74d508ad4af4fb176ebffee8d6901d49e0fa4c64c3afa0
Instruction ID: a99e9ed1ff05cde7b6457fb7b5cd944d874f53a40d752dab2a8e8dcd7bc89858
Opcode Fuzzy Hash: c6fa4c34ceac7447ec74d508ad4af4fb176ebffee8d6901d49e0fa4c64c3afa0
Instruction Fuzzy Hash: CA7248716083419FDB14CF18D880B6ABBE1BFD9314F48891DF9898B391D3B5D958CBA2

Function 00DC69B0 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

`], xrefs: 00DC6FAD
ct, xrefs: 00DC6FBD

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `]$ct
API String ID: 0-3656906445
Opcode ID: 66bed816ac07256f8013324d06c84d9d31e189c6c4de962603c26d4c80c77024
Instruction ID: cedaa4e6b7b4eb055e5580fe5481775efddc760cfb76bf449c2d6c7418f35e5d
Opcode Fuzzy Hash: 66bed816ac07256f8013324d06c84d9d31e189c6c4de962603c26d4c80c77024
Instruction Fuzzy Hash: BB0236B59083828FC714DF28D88066BBBE1EFD5354F19882DE5D58B382E735D905CBA2

Function 00DA9100 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

^~dx, xrefs: 00DA91FE
@, xrefs: 00DA9266

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: aceaec785169674c0f6689edd6fa016d5d6ecbf93a07a030cebe4cf74a9ab5ce
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: 91C1E07160C3918AD725CF79C4903ABFBE1AF97304F0858ADE4D5DB286D239C906C7A6

Function 00DC9630 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

02"4, xrefs: 00DC97E5
517, xrefs: 00DC9846

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 517$02"4
API String ID: 0-4117730321
Opcode ID: d40495ce686ea5de4d287959adfea2c880dd84853c096d329615e31dbff1176f
Instruction ID: c841565572f437201b5704fcc5e3fd5180f3ea164008e74770fcca49f5134e37
Opcode Fuzzy Hash: d40495ce686ea5de4d287959adfea2c880dd84853c096d329615e31dbff1176f
Instruction Fuzzy Hash: 55D10271908391DFD7059F28D8A5B6ABBE1EF99310F48896CF4C58B3A1D735D900CB62

Function 00DA42A0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00DA4691
), xrefs: 00DA431B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 982b38a910b3715e497c89da10830dc5e359e8edf7a206de5653f92cbc285339
Instruction ID: aec17195c9abb721d8cd97b3db378136c093beff69365714f53a1de4b2dd499c
Opcode Fuzzy Hash: 982b38a910b3715e497c89da10830dc5e359e8edf7a206de5653f92cbc285339
Instruction Fuzzy Hash: 53D19EB19083449FD720CF18D84579ABBE4EFD6304F14492DF9999B382D7B5E908CBA2

Function 00DB602C Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

D, xrefs: 00DB6417
@g, xrefs: 00DB6034

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @g$D
API String ID: 0-2006007467
Opcode ID: 4758fe1f64cdc4d6972d5859ac650dc28e1824cd87ab5d16b2fb1466a3a001a3
Instruction ID: 6d8b056776c484643572c69b8ca5b1b50d3dc48be4e20d2fbda0d4d55fd14815
Opcode Fuzzy Hash: 4758fe1f64cdc4d6972d5859ac650dc28e1824cd87ab5d16b2fb1466a3a001a3
Instruction Fuzzy Hash: C1B1CEB1418310CBD328DF14C8657ABB7F1FF86354F098A5CE4CA6B6A0E7789904CB66

Function 00DB5A72 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

7, xrefs: 00DB5BCA
gfff, xrefs: 00DB5C27

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: a9a3712c54665925a1200d07ef57dee1b79afcf8566f8f60e13e80cb321b073a
Instruction ID: 527a69a5759ea29b6da3bbd7246f5782895f942e6e82d864aedaac46fe29b622
Opcode Fuzzy Hash: a9a3712c54665925a1200d07ef57dee1b79afcf8566f8f60e13e80cb321b073a
Instruction Fuzzy Hash: 86A13B73A15A218BD724CF29DC817ABB6D2FBC4314F4EC62CD486DB359DA78D8018790

Function 00DA82C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

${*{, xrefs: 00DA83BB
., xrefs: 00DA8319

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ${*{$.
API String ID: 0-434639839
Opcode ID: c5880e7465cd0425f4ff70529b8065b8270d08cfa12f75b9cbe436c6be65cc0a
Instruction ID: cecf03c6048330b59ff6f6f5743f439ba37ef665f368003dbdd06d6fa612026d
Opcode Fuzzy Hash: c5880e7465cd0425f4ff70529b8065b8270d08cfa12f75b9cbe436c6be65cc0a
Instruction Fuzzy Hash: F6815C32F043564BC7108E29C8C425AB7E3ABC6720F29CA69DCD59B3A5EA74CC455BD1

Function 00DDDB39 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

@, xrefs: 00DDDB9D
@, xrefs: 00DDDA4D

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: f4e6d804083bd764da6c92d1fa618e4171b0607d120e3ab717085727ff22edc9
Instruction ID: 3ca6c4f29207cb7a820a532138001889fec14bcb9b7558be6ba6f818cd04d9c5
Opcode Fuzzy Hash: f4e6d804083bd764da6c92d1fa618e4171b0607d120e3ab717085727ff22edc9
Instruction Fuzzy Hash: 6951F6B1A193208BD714CF28C96032BB6E2FFD5744F05A52DE4C59B398E7799804C7A6

Function 00DAE9B0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

t,, xrefs: 00DAE9D0
_@, xrefs: 00DAEA5A

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: f9e6aef598c70e693911e4d21866c16a674cfe9cc8e860b076765eb522745246
Instruction ID: d6b4c14eae42df2a90f8942642129b16fefdf01c0185b64fe9239920d9dd9c74
Opcode Fuzzy Hash: f9e6aef598c70e693911e4d21866c16a674cfe9cc8e860b076765eb522745246
Instruction Fuzzy Hash: E851B07651875086D7249F7984112ABB7E1EF96720F158B2EF8F6C72D1D634C900C7A2

Function 00DDB940 Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 00DDBB51

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: c1f14fb6ee73b949e648408e698c7a8e7539a5c92cb3fa8f24e049b272ffbdfa
Instruction ID: 20539039c70ebda2e9ef4ae849b1ffad60ac5abd4c1f45d6d02e8bc4b680c844
Opcode Fuzzy Hash: c1f14fb6ee73b949e648408e698c7a8e7539a5c92cb3fa8f24e049b272ffbdfa
Instruction Fuzzy Hash: 5312B170608341DFC715DF28C890A2AB7E6FFD8328F1A492EE5958B3A1D771D905CB62

Function 00DB4161 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00DB4400

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: D]+\
API String ID: 2994545307-1174097187
Opcode ID: 74a853cd556bb95d58b1b9229a5d63f1aa92cf6a11ec57851d78177aa0fb345d
Instruction ID: 944ee1b0c863d2ce63f344f0e62bda2ae4e81ce3860cf568d7a5d4b96d87f2de
Opcode Fuzzy Hash: 74a853cd556bb95d58b1b9229a5d63f1aa92cf6a11ec57851d78177aa0fb345d
Instruction Fuzzy Hash: D7B12431614305DBD724EF18EC91BAAB3E2EF84704F5A543CE986DB3A2E2719D1087A5

Function 00DCCE60 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

8a, xrefs: 00DCCE70

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 8a
API String ID: 0-1827930058
Opcode ID: 10e00a371e2b62822a39ef0f587d0632c18bd11dd4647e6de69dc99b82fc9e99
Instruction ID: db24e37350c71b59ed38f474813050761ccd56429fe0d45d3b0165ce9f622239
Opcode Fuzzy Hash: 10e00a371e2b62822a39ef0f587d0632c18bd11dd4647e6de69dc99b82fc9e99
Instruction Fuzzy Hash: 71B1D37150C3828BD729CF29C85176BFBE2AFD6304F58986DE0D68B391D7398406CB22

Function 00DDFB10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 00DDFB90

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mLjL
API String ID: 2994545307-1911556848
Opcode ID: 4185b4376c4c2951050b61e95812064179e87c7e95f32a7f9b0dc7d4bbb3b97b
Instruction ID: ba4a01516ea90a73cc0991baaf618665e901371dd9c6ad8119be700acedad8b4
Opcode Fuzzy Hash: 4185b4376c4c2951050b61e95812064179e87c7e95f32a7f9b0dc7d4bbb3b97b
Instruction Fuzzy Hash: C3B11832A143118BD728CF18C89196FB7E2EFC4714F1A853DE9DA573A1DA31AC45C7A2

Function 00DA8E50 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 00DA8F8B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: d60fe32e312d4d578a57954586868afd3408edb90be49ca9eb50fafa73132579
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: 8471D13064C3858AD310DF7994A03ABFBF1AFA7380F0C456CE8C59B295D77A8509976A

Function 00DC1E60 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 00DC1EA8

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: d6e9abdb4dc99dfbb56fa7606e4bad989a4be9789b6ac84140ed30586b2d8291
Instruction ID: c7d6448c27ed0b14a5bb4a9e3e138b42236d41872952f569451b40d7457da531
Opcode Fuzzy Hash: d6e9abdb4dc99dfbb56fa7606e4bad989a4be9789b6ac84140ed30586b2d8291
Instruction Fuzzy Hash: C3718AB56043129BD7209F64CC92B7B73B4EF86354F18492CF9868B291E775E904C772

Function 00DBD900 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 00DBD9CB

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 023d796a260ce0f7c8f0fc127a3573debf86f0571bc275c4d185dc4dd61118bf
Instruction ID: c16b092e38cc9e40f858e62eb2d021484db16c0c09fa63e264c6b47b886a53eb
Opcode Fuzzy Hash: 023d796a260ce0f7c8f0fc127a3573debf86f0571bc275c4d185dc4dd61118bf
Instruction Fuzzy Hash: B8814E729042618FCB158E28C89139ABBE1AB95324F1DC67DECBA9B381D634DC05D7E1

Function 00DD73D0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 00DD758C

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: 55a058cdaf54fdd933ede36660c82f2b11c5b8d105c5b58ce7e6b577d187b19f
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: 5571472392C7514BD3249B3CD8400ABABE3AFD5320F298A7ED4E597755F279C4068363

Function 00DB95FD Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 00DB9759

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: d0d5fd15027c3aefcc3c93ea2c0d4c6d5ebb2bf2374fdf830101b17cb1e074dd
Instruction ID: 399d669b8ba38efc84381de32e845ceda6bf9bb3c8f782365e35d42f122246f7
Opcode Fuzzy Hash: d0d5fd15027c3aefcc3c93ea2c0d4c6d5ebb2bf2374fdf830101b17cb1e074dd
Instruction Fuzzy Hash: 7C419370514250DBC7389F24C8A57B7B3B5FFA6350F19461CE9CA4B3A1EB354941C7A2

Function 00DCB48C Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 00DCB52B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: f30e047e484969037fc4eb4c62fea0cf4c02e25f9b0753bd09319c24ffb46b74
Instruction ID: f8dff2dfea1f6f890feb7fa5ae7f5fcd7e93cc4b86f19e474969cbbf3a4a54c8
Opcode Fuzzy Hash: f30e047e484969037fc4eb4c62fea0cf4c02e25f9b0753bd09319c24ffb46b74
Instruction Fuzzy Hash: 6D5148319093924AD725CF39C4547BBFBE2AFE3310F28D4ADC4C99B291DB3584068762

Function 00DCB841 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 00DCB8EF

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 6fdaa7983c0a47fd122296c8874ebcc310dbc98b8af821e68c52f130405d1906
Instruction ID: adb50440da60ada408382c220ecc78d3ed48fb4d036bdf21175e78e9bc507314
Opcode Fuzzy Hash: 6fdaa7983c0a47fd122296c8874ebcc310dbc98b8af821e68c52f130405d1906
Instruction Fuzzy Hash: 2551F3755083928BD339CB29C851BFBB7E1EFD6300F58986ED4CAD7250DB3488058B66

Function 00DDFF00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 00DDFFCA

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7f174b9b0ba1a37b1669cc9d7c69a08c6ff8f9067cca495652972e148c84ab6d
Instruction ID: 9051f5f10c54944f5c0c1848f00466eb92a2e0f4e3d1e3ade018af0203088ef0
Opcode Fuzzy Hash: 7f174b9b0ba1a37b1669cc9d7c69a08c6ff8f9067cca495652972e148c84ab6d
Instruction Fuzzy Hash: D44152729053009BC7149F24CC15B6BBBE2FFC5328F198A2CE4C95B3A0E7B59805C7A2

Function 00DAC942 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 00DAC992

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: 67ef5cf2c59fc6348082d1b5d6b33e37904a11bb62b1daa94ea59a02398bc3a9
Instruction ID: 7a661314263a60d5cc2838aa35e65a7bceef267de8cad5bf8568d52214a5d9a3
Opcode Fuzzy Hash: 67ef5cf2c59fc6348082d1b5d6b33e37904a11bb62b1daa94ea59a02398bc3a9
Instruction Fuzzy Hash: 084138736583218BCB28DF25CC517ABB7B2EFC5310F0A591CE4869BB50E7789504CB9A

Function 00DC904E Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 00DC90A0, 00DC916B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: 55292087b5eba78e43f5f92ed90a6ab5371ad4f46e7abaa27ff361e9fff5497d
Instruction ID: df524f710b5eea3f14f715c8682f2ec2f840cebab9da964ad0a07ceb2a7e69e6
Opcode Fuzzy Hash: 55292087b5eba78e43f5f92ed90a6ab5371ad4f46e7abaa27ff361e9fff5497d
Instruction Fuzzy Hash: D331C0766083028BC7109F59C86666BF3F2EFC5350F09892CE5D18B360EB38D940D762

Function 00DDF040 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 00DDF090

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a32d4ba99753c98989923a73ea399af83ac7905719a857147c157159cc3e6432
Instruction ID: 3a62c4ec354c73816f005965e35771067ea131c7d35eb7b477e2d95603986c28
Opcode Fuzzy Hash: a32d4ba99753c98989923a73ea399af83ac7905719a857147c157159cc3e6432
Instruction Fuzzy Hash: 3421CEB50193049BC310DF58D880A6BB7FAFFC5320F19592DE988873A0E372A944C766

Function 00DAC08B Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 00DAC0EF

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: f07bcb6fa19b11aad50ed5172fae09ccfede9e8dfe0e379bfcf56c1b033d488f
Instruction ID: 0fdbe68c8d5263a9d29c8a363839383e8d2607cbe24a1c61f6207de5895ed7b5
Opcode Fuzzy Hash: f07bcb6fa19b11aad50ed5172fae09ccfede9e8dfe0e379bfcf56c1b033d488f
Instruction Fuzzy Hash: 8C218EBAE007228BC7258F58C895BAAB3B0FF49700F065228ED49FB750D635AC4187E4

Function 00DAC158 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

|X|X, xrefs: 00DAC1BF

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: abd9d86c53044a48979e7d40a74ea2493fa06fae3ee37efa5ab920a9d0241a91
Instruction ID: f3f1ba43c1acfb6d558db2341f0b2e15b3667a774d3112e427b555fca3369f96
Opcode Fuzzy Hash: abd9d86c53044a48979e7d40a74ea2493fa06fae3ee37efa5ab920a9d0241a91
Instruction Fuzzy Hash: D7119DBAE007229BC721CF68CC41BAAF3B1BF59700F065215E959FB360D671ED5287A4

Function 00DA2ED0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1370c26cf29f138675542a245239e7e15cbbad4f1f57309689aa5082fb2a330
Instruction ID: 70565b2373229d258189925749e92d16849e0eae50a92b7a836bf153b64de141
Opcode Fuzzy Hash: f1370c26cf29f138675542a245239e7e15cbbad4f1f57309689aa5082fb2a330
Instruction Fuzzy Hash: 4052E3715083458FCB15CF29C0806EABBE2BF8A304F198A6DF8D95B341D779DA49CB91

Function 00DA6640 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47020fe404eb94ccd796a3f7c89442c413f0964915e4c83ba78e707971765a8b
Instruction ID: 999b89f28406fdf14e7d89c0427b4f4e56c6e6b9e99d1926bc861435c59596e3
Opcode Fuzzy Hash: 47020fe404eb94ccd796a3f7c89442c413f0964915e4c83ba78e707971765a8b
Instruction Fuzzy Hash: 5552A0B0908B84CFE735CB34C4943A7BBE1EB62314F1C896DD5E606AC2C379E9858725

Function 00DDE710 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243076196549caac51a327d5a87738e9391ff7ce9e5dd7786cd8dc7bfb1f22ed
Instruction ID: f4f8286e47a3ba638a55c7415ef7b7a16e01a83e445545328317c0f8b030a8a0
Opcode Fuzzy Hash: 243076196549caac51a327d5a87738e9391ff7ce9e5dd7786cd8dc7bfb1f22ed
Instruction Fuzzy Hash: E512F131A19355CFC704EF28D8902AAB3E2FF89311F0A887DD945DB3A1EB359951CB90

Function 00DA7410 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: 622ee14fe790d5e4d5935657b6f25ac0ff99742ab2ba145bb9b112604bb5f644
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 0422BF72A087118BC725DF28DC806ABB3E1FFC6315F19892DD9CA97285D734E8118B66

Function 00DA38F0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086842b77be526946bfbdc64594de00c77248382873c638690df66011e143802
Instruction ID: 8aa8976ca6a94e6b4efdeac91192c0db564a8eb6920fadc93d164f8ae0b1448e
Opcode Fuzzy Hash: 086842b77be526946bfbdc64594de00c77248382873c638690df66011e143802
Instruction Fuzzy Hash: 1A321570915B108FC368CF29C590526BBF2BF86710B644A2EE6A787E90D776F945CB20

Function 00DDE820 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa81d9d46f9cd23f365e3dfcc894e9d1e616b97510152f3626070f7d31cd7922
Instruction ID: 35e6acd07d2f994a6a99d206bd0befa8c2168fffd82ce6b09c0294f5c87aedae
Opcode Fuzzy Hash: fa81d9d46f9cd23f365e3dfcc894e9d1e616b97510152f3626070f7d31cd7922
Instruction Fuzzy Hash: F502FF31619351CFC714EF28D8906AAB3E2FF89311F0A887DD945DB3A1EB35A951CB90

Function 00DB6777 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffba7d83065941af18366d0da61f896db75fec36b145e876041c158353015b67
Instruction ID: eed81cc0996682e7e8b76022cdf7b59110b2f19d273d71b82859b13847301c66
Opcode Fuzzy Hash: ffba7d83065941af18366d0da61f896db75fec36b145e876041c158353015b67
Instruction Fuzzy Hash: 9DE168729187118BD728CF28C8903BAB7E2EFD5310F19492CD4C6E7391DA79D845CBA1

Function 00DD86C0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d8eba528d158bc38055ea7285c2d06c28e2a90610d88a3de7a7e356b58bfd2
Instruction ID: 05f516a9f2a2319a8e84d8545a55e25ededa203777cf247624516d4fefd31494
Opcode Fuzzy Hash: 87d8eba528d158bc38055ea7285c2d06c28e2a90610d88a3de7a7e356b58bfd2
Instruction Fuzzy Hash: 1BE14572A043159BD711DE24DD8076BB3E2FFC4314F1A852EE988A7391DB71AC0297A2

Function 00DBB729 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf560dd45713adc213767dc4d81956392f7fda7c2bc997f73268bbed652357d
Instruction ID: 895551287af11af567922d90ac2cc247157461b755b8be906f89b5ae7e2f4204
Opcode Fuzzy Hash: dbf560dd45713adc213767dc4d81956392f7fda7c2bc997f73268bbed652357d
Instruction Fuzzy Hash: 55E1C075600601CFCB28CF29C4916B2B7F2FF96320719865ED4978B7A6E7B4E841CB64

Function 00DDE920 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0028266ea8be8715d621bc610b1ddb733da1da830630c8dadf5546ba36a3a725
Instruction ID: e7603cf9a8ee921367a0ddb3ec06ddd0efd9bd0f2384b27f4c5b1e096baf33b4
Opcode Fuzzy Hash: 0028266ea8be8715d621bc610b1ddb733da1da830630c8dadf5546ba36a3a725
Instruction Fuzzy Hash: B5F1EF31A19351CFC714DF28D8906AAB3F2FB89311F0A887DD945DB3A1EB75A950CB90

Function 00DDEA60 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78046788921d07499673d73861338ccde683ff7772a06f62c9ccb1e3cfda63dd
Instruction ID: dfaf5f5f844ccf64e54e1e47324b288e5a33502b97110e7a45fff73301561919
Opcode Fuzzy Hash: 78046788921d07499673d73861338ccde683ff7772a06f62c9ccb1e3cfda63dd
Instruction Fuzzy Hash: 63E1F431A19315CFD718DF28D8906ABB3E2EF89300F0A887DD986DB3A1EB359941C751

Function 00DDE9D0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b437fce1526af71cd4d72ea746d8aa1ce08d1538b4057ac46b5d63a22f776a6d
Instruction ID: 4b08c8e7a92ed6b282952629a7db6b99f51b3f6b5f3f48d669182d76f66e040e
Opcode Fuzzy Hash: b437fce1526af71cd4d72ea746d8aa1ce08d1538b4057ac46b5d63a22f776a6d
Instruction Fuzzy Hash: D1E1FF31A19355CFCB14DF28D8906AAB3E2EF89300F0A887DD945DB3A1EB359940CB91

Function 00DC5A90 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b317f4d9903c46b17422cded86aa86a914d48bb8f34914c46f3cf9fa359bc3d4
Instruction ID: d88d0745f7528148d2b99447ec004d89e66ea063a6d23b29f73fb61bac848bd0
Opcode Fuzzy Hash: b317f4d9903c46b17422cded86aa86a914d48bb8f34914c46f3cf9fa359bc3d4
Instruction Fuzzy Hash: B8E10FB1508345CFD720EF64D891B6BB7A1FBA5348F44892DF6899B3A0D770D841CB62

Function 00DA5930 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: 81ac3d423505352cc13bbb0a3cd6eb61e4be44b93c34490e658f11026a2e19b5
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 20E169711087419FD721DF29D880A6BBBE1EFA9300F488C2DF5D587752E275E948CBA2

Function 00DD8FD9 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f71392cb9b77c25c7071eae47a9727c002c0bfe262c32418e9ecce66340648
Instruction ID: bbe950777bac530a775f5998a5209721d76bfb76a09f2160cafd6d2cad5e5ab9
Opcode Fuzzy Hash: a7f71392cb9b77c25c7071eae47a9727c002c0bfe262c32418e9ecce66340648
Instruction Fuzzy Hash: 18D1E13A628352CBCB18AF24DCA117AB3F1FF85745F0AC46DC5499B3A0EB368950D725

Function 00DC2140 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d22b63296da2e6dbc20f12371ec1fc63efa4cc2ebd8bbe6b4e1cc9eb3c4b85
Instruction ID: 814520ab3b3ba653b41c93e950a8fd33b7509fe886255954b8afbc232605b00c
Opcode Fuzzy Hash: 17d22b63296da2e6dbc20f12371ec1fc63efa4cc2ebd8bbe6b4e1cc9eb3c4b85
Instruction Fuzzy Hash: 05A1F271A043129BD720AF18CC92B7BB3A1FF95314F59452CE9859B391E774E941C3B2

Function 00DCC8D0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa6e6d8998fa291ab4384125358c65857056bf0e1f8c11b60462456aead3f92
Instruction ID: 2e515f0fe53d05abacb9a796013f4a919c131156021197244d3253356c1624b1
Opcode Fuzzy Hash: 0fa6e6d8998fa291ab4384125358c65857056bf0e1f8c11b60462456aead3f92
Instruction Fuzzy Hash: E5A1A17160C3828BD729CF29C85176BFBE2AFD6304F18986DE4DA87391D7798405CB26

Function 00DC5ACF Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a58dd6cdedb167a81a9eee6258641f3615ba68f8e144798b016e06a5185852b
Instruction ID: 573bf4f63c3b43a0394a2b35c705afed9e20412f1b5e216b38e4c6d74156f238
Opcode Fuzzy Hash: 8a58dd6cdedb167a81a9eee6258641f3615ba68f8e144798b016e06a5185852b
Instruction Fuzzy Hash: 14A1353194C3568FC7249E68C440ABBB7A0EF55741F58892DE9C68B381E334E905E7B6

Function 00DDF780 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e8b164e36fded5391a2e9e4971754c05e6218830a85034fe7634eed5e330adf
Instruction ID: 73a4dd4a54d1876a39c3d02905456a78d86fed118b36493a0a75e81a9c6852d4
Opcode Fuzzy Hash: 9e8b164e36fded5391a2e9e4971754c05e6218830a85034fe7634eed5e330adf
Instruction Fuzzy Hash: 44A1D435A047219BC724DF18C89066EB3E2FF88310F19953DE99A9B3A1E771EC01C7A1

Function 00DBDDC0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e40a4e9f802bd351539d65e2b101deff079777f3ccf012f8e26dd544f9ff500
Instruction ID: 82f177731284ffffcf6c6cdc712cfff5b323d10995b33537087834912790eb14
Opcode Fuzzy Hash: 6e40a4e9f802bd351539d65e2b101deff079777f3ccf012f8e26dd544f9ff500
Instruction Fuzzy Hash: 77A1A333759A914BC71C9D7C4C522E9BA930BD6330B3DC36DA9F68B3E5DA698C024361

Function 00DDF450 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea21168ea69a6b91f7a6d3c6f94f62456477b03bdd5ad41e046d3d0f7793f8a0
Instruction ID: da0e7b11570e2bf729dbbd2d9d18d3fe452eaaf2fbb4db8559ca57e2425e0283
Opcode Fuzzy Hash: ea21168ea69a6b91f7a6d3c6f94f62456477b03bdd5ad41e046d3d0f7793f8a0
Instruction Fuzzy Hash: 5491B2792043119FC728DF18D99096AB3E2FF88710F19857EE9868B361EB31EC51CB91

Function 00DA61B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 536160457b75a19d3f8233b2b805ea60d139d279154f86f6a1f42bd7071c8750
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 1DC148B2A58741CFC360CF68DC86BABB7E1BB85318F08492DD1D9C6242E778E155CB16

Function 00DAB262 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ff27a6774e3c66d4d1dba8c96e1da5ebda4568ad2bd540efcf11afbd2cf94b
Instruction ID: bf6e4b32bb6e57ff5aca52fb90c5fabf98fd427ff0f6d068605fd7d6d6b3b13f
Opcode Fuzzy Hash: b4ff27a6774e3c66d4d1dba8c96e1da5ebda4568ad2bd540efcf11afbd2cf94b
Instruction Fuzzy Hash: C1A18872610B02CFC7249F29EC95A67B3F5FB89314F05892CE59ACB7A0D734E8118B60

Function 00DCF5D9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65933029633d22298b61b15fd42eb4d755ab68f221f436000442b0a7b34cae79
Instruction ID: 904e63f78df4068a2331370f20a0536e42a42c04daf9d3446e0696dd57725f31
Opcode Fuzzy Hash: 65933029633d22298b61b15fd42eb4d755ab68f221f436000442b0a7b34cae79
Instruction Fuzzy Hash: D2B11872604B408BD328DF38D8512A7BBE2EFD5310F088A3CD4DB87795E678A549C752

Function 00DC7551 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c13ad4bf30e700ccf475ed14e0310435fe69ac0b06f7ba6ce63f34df18f0e73
Instruction ID: a01a049d575638846fb3a82fc679c4b4e6597bd2f01b70928a7022acd89f2e57
Opcode Fuzzy Hash: 9c13ad4bf30e700ccf475ed14e0310435fe69ac0b06f7ba6ce63f34df18f0e73
Instruction Fuzzy Hash: 38A11831A08782CFD7149F38DC9072AB7E2AF95324F19866CE5A58B3A2D331D945CF61

Function 00DCBD77 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cb1ab614a822c34b9b0b325467fc6b7aca1f808d80f45c54b9dd76df2796d7
Instruction ID: 7d120e995de509ce5a5c16a4534333c5c88de4ac4a5c12990f5494348cbbb49c
Opcode Fuzzy Hash: c3cb1ab614a822c34b9b0b325467fc6b7aca1f808d80f45c54b9dd76df2796d7
Instruction Fuzzy Hash: 9D7147726183928BD3188F25C86173BBBD1EFD2704F2C886DE5D69B391D679C8019B62

Function 00DDF150 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57a7d5848ad4271daf905a21edf9c96ec09804bde32bd1c39245c7e8d375ba0f
Instruction ID: 126af8bfdb8e05b1f18453a012622cc142960dd2a8350130609a382002f7902f
Opcode Fuzzy Hash: 57a7d5848ad4271daf905a21edf9c96ec09804bde32bd1c39245c7e8d375ba0f
Instruction Fuzzy Hash: 068119366043119BCB249F18CC51A6FB3A2FFD4720F1A953DE98A9B365EB30AC51C791

Function 00DD7960 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bcae96ef708eafcf8801cbcf8b6cbf469d8363a5e67a3c4cd8c7a4a2a94793
Instruction ID: db000d43b99643910475909bda72dfc9f9e022a6c634bc4045d2c122e7e8aeb0
Opcode Fuzzy Hash: 11bcae96ef708eafcf8801cbcf8b6cbf469d8363a5e67a3c4cd8c7a4a2a94793
Instruction Fuzzy Hash: 1EA1F732A192148FDB00CF7CC9913AEB7F2EF84310F1585ABD486DB395E6798946CB61

Function 00DCBE3B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9995462b59585aaf8e66ed9c43deb36c260812cfdc425e6a4999644065dc4a
Instruction ID: e97e48f200b6365aaaf244a66f32dc7509cc589d566aab3d3ef8bde55921fb1c
Opcode Fuzzy Hash: 5e9995462b59585aaf8e66ed9c43deb36c260812cfdc425e6a4999644065dc4a
Instruction Fuzzy Hash: A67156726183928BD3188F35C86173BBBD1DFD2704F2C886DE5D69B391D679C8019B62

Function 00DCBE9D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b805d5b88a984f5f44b47d37be1c8eafde7dccd8c810515a411bfaac73c734d
Instruction ID: 9801dfc662926811fd9e5fecbe43bc1e0cd707379b89469f852ce3b049ecb95e
Opcode Fuzzy Hash: 1b805d5b88a984f5f44b47d37be1c8eafde7dccd8c810515a411bfaac73c734d
Instruction Fuzzy Hash: E2616772A183928BE3188F35C86173BBBD1DFD2304F2C886DE5D69B391D639C8058B61

Function 00DBC119 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446fc95e8c6e0e27461496f4b45be2dfcb5f516997b93e77c29d11c5e793f527
Instruction ID: 1535fc39fe93d1a40df6c0bcce625c929a76463a362853463ae9c05ca5fa5904
Opcode Fuzzy Hash: 446fc95e8c6e0e27461496f4b45be2dfcb5f516997b93e77c29d11c5e793f527
Instruction Fuzzy Hash: 3481ADB0910B009FC324EF39C942522BBF1FF56301B548A2DE8D78B795E335A456CBA6

Function 00DB64A3 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c1ee622049850aff70c47fd4e2962395f4edba42dd1a03ab851728d594c5fd
Instruction ID: 4b679cf0f7641f302e47f6257aa50ef9a900451b54772c127ac90c0abfbe2218
Opcode Fuzzy Hash: a3c1ee622049850aff70c47fd4e2962395f4edba42dd1a03ab851728d594c5fd
Instruction Fuzzy Hash: 8A81F375619701DBD720DF28C8807AAB7E2BFD8714F1A482CE4C6C73A1E775D85187A1

Function 00DB717B Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0cd2ba471f5adde629a40ff67ebef0d688f2a6ca94eadf047d67217c9de67f5
Instruction ID: 973c170a70a46bbd9b343127b1e2d2546e4c3bfb842bd5e92f70ba4587cbd0ac
Opcode Fuzzy Hash: f0cd2ba471f5adde629a40ff67ebef0d688f2a6ca94eadf047d67217c9de67f5
Instruction Fuzzy Hash: C871F235218701DFD724DF28C890BAAB7E2BFE8310F5A442CE8CAD7361E771985187A5

Function 00DC7C29 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e02099eb1973f5b7f3d6c6f4a994c18173b9790a14fe5cdada5f46905c28e17
Instruction ID: f156ed85e29c81f8c0f5af57bd6160e430b5a584cb71dce9d40ebe170d609617
Opcode Fuzzy Hash: 0e02099eb1973f5b7f3d6c6f4a994c18173b9790a14fe5cdada5f46905c28e17
Instruction Fuzzy Hash: 8C71C672A187028FC718CE29DC9162AB7D3AFD9310F5D863CD956CB396DB34E9018B61

Function 00DCBE86 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a1449fd9361fd50fdd431b0c9495591a829238119dd530919ea8c05f3eb6f1
Instruction ID: e47b191f7b5588bdab7466b76728a636d1ff282400f2ee44a655a153dc84da35
Opcode Fuzzy Hash: 55a1449fd9361fd50fdd431b0c9495591a829238119dd530919ea8c05f3eb6f1
Instruction Fuzzy Hash: D65159B29283928BD3188F35C86177BBBD1DFD2704F2C986DE5D59B391D2398805CB62

Function 00DDB1D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50f21ed595a3e61b5a07403bd00d037f4eca74f0b7a56f65621a8791d344b997
Instruction ID: 1dca4bee826fb99df306e0c45f5d5a3ef5bed3b2dd1c66da56b2a3c366d479c8
Opcode Fuzzy Hash: 50f21ed595a3e61b5a07403bd00d037f4eca74f0b7a56f65621a8791d344b997
Instruction Fuzzy Hash: 9A510536A083159FD720AF28C84476BB7A2EFD4714F16843ED9849B361E771AC1187A5

Function 00DD0470 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071a01cc5d5914c92cb674eb703e535fd0d47de4094a92db8bd76150159cb59d
Instruction ID: 856b2f62eb69cd634187fdcf9a140cd379c8d24307f2d11a6ffaeaba58d21f4e
Opcode Fuzzy Hash: 071a01cc5d5914c92cb674eb703e535fd0d47de4094a92db8bd76150159cb59d
Instruction Fuzzy Hash: 70712726B4A6D14BC318693C9C213B97E874FD6334F2D832EE6F68B3E1C919C8159361

Function 00DDB650 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f067a65b49c41dd85b2745420b853dba59e79e70537148ff20488b02f13bb4a6
Instruction ID: 29fe32eafa3157d8e242e18321ae9e0ed6c59a3dab09c0a1a163ea9f89e96be2
Opcode Fuzzy Hash: f067a65b49c41dd85b2745420b853dba59e79e70537148ff20488b02f13bb4a6
Instruction Fuzzy Hash: AD51B331A05311DBCB20AF28D88056AB7A6FFC4728F1B492FD8849B360D771AC11CBE1

Function 00DCDEF1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa78e81427f66bbc44c3f1c1b9722544642fac3fe1f521df7e0eb2d6b106c35
Instruction ID: 290f8471322ce54fdda047269ca12e69528217ab7d1575c8c9d7294587801f61
Opcode Fuzzy Hash: 4fa78e81427f66bbc44c3f1c1b9722544642fac3fe1f521df7e0eb2d6b106c35
Instruction Fuzzy Hash: 37811472B14B408BC3289F7DD8922ABBBE2AFC4310F18893DD4EAC7395E934A401C715

Function 00DB138A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction ID: cbf0ae7677e6ce96cfa36c7ff8a9e85eb14402c8f5fef6d531d799779ed741bf
Opcode Fuzzy Hash: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction Fuzzy Hash: 2E818476A187518BC3189F38C8512AEB7E5AFC9320F154B2EF5EAC72D1DA34C5009762

Function 00DBADD0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be7aea8b33c1e7c275612a35616a546eb65fa2ab16109da038313ef3bc5b02a
Instruction ID: e238896c736d9aa5305f83261227c0e52a49c3faca3f14d113906bf818503c04
Opcode Fuzzy Hash: 1be7aea8b33c1e7c275612a35616a546eb65fa2ab16109da038313ef3bc5b02a
Instruction Fuzzy Hash: 7C61F533B156918BCB1C9D7C8C512FEAA535B97330B2E836AB9B28B3D1C6258C0143B1

Function 00DD1E50 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148605eb3eabdc95a551381c3eaf3de223de4ecbb4ee0549afedf3daccc03d93
Instruction ID: 3848036a0b68244e19933d521494a9958b33b0a4f5f8b54874703135f9928659
Opcode Fuzzy Hash: 148605eb3eabdc95a551381c3eaf3de223de4ecbb4ee0549afedf3daccc03d93
Instruction Fuzzy Hash: FB61F736B599914BC7189E7C5C912B97A538FA633072DC36AF9B2CF3E5C224880593B0

Function 00DAC621 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9873224ee768f06cbc37c7ddc64dfa2ef0c2014a5214e19655f20897b15d213f
Instruction ID: 081e627d180fdcbf2913139df9117eb18141c55ef939356a4023be4ffd45ee34
Opcode Fuzzy Hash: 9873224ee768f06cbc37c7ddc64dfa2ef0c2014a5214e19655f20897b15d213f
Instruction Fuzzy Hash: 83511873A943114BE318CF64CC807ABB6E3EBC4300F1A943DED89E7790EA7999055B85

Function 00DD20B0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb59b55ab7083a7066182240ffb50f6c1112fe268c892b9dcffe58417dda153
Instruction ID: 3b1f3c2581968946ba00728e1e3a8ca52c860e6b96e0f88f1b81de02e480f392
Opcode Fuzzy Hash: ecb59b55ab7083a7066182240ffb50f6c1112fe268c892b9dcffe58417dda153
Instruction Fuzzy Hash: 3F51F233769A904B972C993D4C523B67E870BE3334B2EC76AA5F5CB3E4C56988058264

Function 00DBC3F4 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction ID: 8554478cc76aa707ee602e16d92b94d90b9ad065ea09a4bc0962243b03d0bc02
Opcode Fuzzy Hash: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction Fuzzy Hash: 3651D0B0510B11DBD734CF29C841262B7F2FFA9300758962DD4978B768E33AB851CBA5

Function 00DD7170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 0f428f0005e56fe68574ced8ce9ddde3539211c9581a777aac8ef4b6c5226bd3
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 37517CB15083548FE314DF69D89435BBBE1BBC4318F444A2EE4E983351E379DA088F92

Function 00DCCC5D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4c7cc3054092d0725e8ac6773119516e98354f672d4d217abc8cb983fc072c
Instruction ID: d7cd7c10b23d95ea198b3c9fbcd52a28738d34f627ab8a15a812c7cef4844909
Opcode Fuzzy Hash: 1d4c7cc3054092d0725e8ac6773119516e98354f672d4d217abc8cb983fc072c
Instruction Fuzzy Hash: 2B51AF32A69B534BD7158A28C8C07A6BF82DF96351F0CD73DC9AA473C5D3289806D7B1

Function 00DCB00F Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2e2201d040b1920a1fe57929ffc5a531ff7b6d937bcd91f2537ed3299ff25c
Instruction ID: 30264af1b551ebcdae5e075f307d23ff13f7dfb61849e30487dbafea037ec33b
Opcode Fuzzy Hash: ae2e2201d040b1920a1fe57929ffc5a531ff7b6d937bcd91f2537ed3299ff25c
Instruction Fuzzy Hash: A6415061A543578FDB148A248C637B6B7A1EB66361F1D823FD89587381E328DC09E3F1

Function 00DCF211 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c71e343ef56675628c501d09b4bef148bad5310ba6bfe3da3ccce7b044b7b59
Instruction ID: 876984613eb7131e697882b2fbbf6bb46afbcfa82530912c304aba3f1737cd08
Opcode Fuzzy Hash: 2c71e343ef56675628c501d09b4bef148bad5310ba6bfe3da3ccce7b044b7b59
Instruction Fuzzy Hash: 6F51A432715B414BD368CF39C892297BBE3AF99310F19CA3DD4AAC77E4D638A4018711

Function 00DE04D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba6d57e32800c9886d8b10d04743c2fc4207173ad6f22127b06d76c4dd6b21e2
Instruction ID: 8dc8169b3e40de2a165a239ecf3fb48357bf5cbe77addbcb7bccac58fc283a97
Opcode Fuzzy Hash: ba6d57e32800c9886d8b10d04743c2fc4207173ad6f22127b06d76c4dd6b21e2
Instruction Fuzzy Hash: AC4168343553419FD714AF55DC91FBABBA6EBC4314F2C542CE1858B3A0E6B1E8A1C724

Function 00DE0650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac9abbf981e061daa1460443a558e385ba860bbb82af52876d35f4e49b5bf5fb
Instruction ID: 3bffa7d66a43b88c524b25ccea313f360d01fdbded746102f1b8c32026e0aa0b
Opcode Fuzzy Hash: ac9abbf981e061daa1460443a558e385ba860bbb82af52876d35f4e49b5bf5fb
Instruction Fuzzy Hash: B44168782153019FD714BF55DC91F7ABBA6EBC4310F18442CE1849B3A0DAB1B8A1CB24

Function 00DC4CCD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f666b906d19252c1fd320f7fa4b0210ba55154800ffd15793108a41d268a11b
Instruction ID: 51589838d811739e283d4e557aac38060e2caa6ed03e9389e42d10bb8b33b259
Opcode Fuzzy Hash: 7f666b906d19252c1fd320f7fa4b0210ba55154800ffd15793108a41d268a11b
Instruction Fuzzy Hash: 134133B5E10221DBDB19DF28D8516AAB3F2FF98310F149579C845E7355EB389A10CBA0

Function 00DDDE19 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b211700cef97a572e9d634dec0b54c2e3a103df44d39ec683e05985c63a0d19c
Instruction ID: 075cee8f9c08b60aadab8f3f25b7ddeb14eefa42307171eb9b82f3118967f771
Opcode Fuzzy Hash: b211700cef97a572e9d634dec0b54c2e3a103df44d39ec683e05985c63a0d19c
Instruction Fuzzy Hash: 2831D433E106244BDB18CA3DC8A179BF7A3AFD4310F1E817ADCA9DB399DA7099014690

Function 00DDB450 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec2985780302d5aa3273ed5b9a0d767f598c974e891b956ae98c0d43c3c3275
Instruction ID: 0a402de913c73ad4f630a818187c3999f310af13e3658dd98a1fbb33001eff88
Opcode Fuzzy Hash: cec2985780302d5aa3273ed5b9a0d767f598c974e891b956ae98c0d43c3c3275
Instruction Fuzzy Hash: 7B31E472A09214DFD710CF18D944B6BB3E5EFC4718F16882ED884AB350D3719C46CBA1

Function 00DDDC5E Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5665005769c893b7e55adef3367a12abb2d4534ae95b2d948135d20c1c558276
Instruction ID: 4e5d4aeff2e5276f24743b3864dbba6922c1015bb0ce94442a16a8d680b2083a
Opcode Fuzzy Hash: 5665005769c893b7e55adef3367a12abb2d4534ae95b2d948135d20c1c558276
Instruction Fuzzy Hash: EF310572F507258BDF1CCFADCC523FEB6A2AB89304F18512ED946E7390CA7859018794

Function 00DD8E40 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: 50897038e799d6e5904a40b9bca0ec603dd258987fb02f7bb9372594c45fe93f
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: 6731FB72A187604BC7195E3C8C5026A7A929BC5730F2E877EFEB64B3C0DE348C055395

Function 00DBBD8F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c4eb7ce51892e5204758cd27ee0a2375d30f58beb2a00be9266a235edf2139
Instruction ID: ffb5ecb194704c845e1819f7241d195fc625b89a6ed2f1ec2c9fe4563575b528
Opcode Fuzzy Hash: 33c4eb7ce51892e5204758cd27ee0a2375d30f58beb2a00be9266a235edf2139
Instruction Fuzzy Hash: 79310735611700CFD7258F25C890652B7E2FF8A328B29D59DD1938B7A6D73AE403C715

Function 00DC822F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be867c1fac9d3fdee5dd2ef417ca779902c756b908668fef20aa8de289fb05f
Instruction ID: 9db4d1379be977af7fc05963c835ae5bb84b2950319178053ca901df3c31d4c7
Opcode Fuzzy Hash: 9be867c1fac9d3fdee5dd2ef417ca779902c756b908668fef20aa8de289fb05f
Instruction Fuzzy Hash: 242101729087169FE310AB21DC41B2BB3E6EBD4314F55042CEA5897391E671AD028BA5

Function 00DC9A43 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a7efa84eaa4c8ef33d1e0fd02628a7f1b97eaa664a6ebe8e88a9500f6c29a0
Instruction ID: 7ec3b4ee5aaf71982d72964cf222e8d0095f519d367489bca2e0631a685e4a3a
Opcode Fuzzy Hash: 79a7efa84eaa4c8ef33d1e0fd02628a7f1b97eaa664a6ebe8e88a9500f6c29a0
Instruction Fuzzy Hash: 1F31AC31918365DFD7109F24D894B2AF3E1FB98304F05892CEA88AB351D771ED02CBA2

Function 00DE0400 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eed817050f98658058aad0b779648d16b05df12756cb081c4cb83110738d428d
Instruction ID: ba983260726d3192acfd0b37bfff498e5d7005511ef476be5401463ef15409a2
Opcode Fuzzy Hash: eed817050f98658058aad0b779648d16b05df12756cb081c4cb83110738d428d
Instruction Fuzzy Hash: 21216579A112415BC714AF15CD80AAEBBA6EBC4324F18852CEA908B3E5EAB19851C771

Function 00DC91B1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c6b4663813315305d2fb7dd354cf9801135b5ff3c946319c7f49bc656a46812
Instruction ID: afdb0215b2b12ef1e6a060179b3868559e04f183689d6a228a5f54747b65c871
Opcode Fuzzy Hash: 9c6b4663813315305d2fb7dd354cf9801135b5ff3c946319c7f49bc656a46812
Instruction Fuzzy Hash: 9B110371649212EFD7219B54C869F3AF3A6EB54700F4A402CE8859B3A2D331CC01C7B9

Function 00DB5F4C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d5314bfd7d1cc9b0b0ade0fc5131add492979590dd63c5a5800201c5dbd1820
Instruction ID: 1d986e503f7347bd2a2e7ebd0df37f2d1899796d617280eb92bfddba3cc32552
Opcode Fuzzy Hash: 7d5314bfd7d1cc9b0b0ade0fc5131add492979590dd63c5a5800201c5dbd1820
Instruction Fuzzy Hash: F221EE35609700DBD324DF28D8907BAB6E6BFCC310F58542DE4CAD7390DAB1A8518769

Function 00DC9266 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc213a1b63f9f5e4cfef6ae12a00b37a0c9d74abfdb93cb1394079d411628301
Instruction ID: 48f6a4647729eb7a367df9929aab2d909be89ef675f27e8eb402594735807170
Opcode Fuzzy Hash: bc213a1b63f9f5e4cfef6ae12a00b37a0c9d74abfdb93cb1394079d411628301
Instruction Fuzzy Hash: DC219032A193229BD724CB64C46472BF3A2BB98B00F46952DEC89E7390C3319C51C7E9

Function 00DB5E8C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11a8dbf08449bb26e85b2c05abb9feb74db74c1ff40293dc01606f10977bc9c8
Instruction ID: f5bd1b7d0c54e8b75599b5653cc5c3dd6d41314beb7740dcab1156724d7e82c3
Opcode Fuzzy Hash: 11a8dbf08449bb26e85b2c05abb9feb74db74c1ff40293dc01606f10977bc9c8
Instruction Fuzzy Hash: 77118C75614B108BD72ACF14D8907BAF2D7AFC8310F9D142CA9CAA7394EA71AC40C374

Function 00DCD5E6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f01a5d4eb43138424e5d3ff4105311611af6e117d19718de4f35b320edebf37
Instruction ID: 856cf19447649a8d3c0a6d88336a040794bd4b74f72a098592bc9211713222ea
Opcode Fuzzy Hash: 4f01a5d4eb43138424e5d3ff4105311611af6e117d19718de4f35b320edebf37
Instruction Fuzzy Hash: 7A210A76A2536006CB6CCF39D8A96BAE292EB81300F19E63DD546E73A0FF3485008755

Function 00DD4E60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3240bdbab7327eaf974d567b3bbd73434c3197cdb2e18b380c62fb3eebf001b3
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4F118633A091D44FC3168D3C8400565BFE31AD3635B5D83AAF4B49B3D2D6338D8A8365

Function 00DC9F80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction ID: 54320a7222ad779349d926b89e713fe7a3484ba2c5468d62494430db4a80eddb
Opcode Fuzzy Hash: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction Fuzzy Hash: 560184F1A003028FEB209E64A8D5F2BF2A8AF81714F1C492CE94497306EB75FD05C6B5

Function 00DDB8A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a36107e1e6395406fbc3976813ecade9d85e189cc2f65a3a04020dfc30d6b3c
Instruction ID: 7ad5e3dc7f63b5493969e83de0b66ebfed41f538199c6aabe97cdbef766a7df7
Opcode Fuzzy Hash: 0a36107e1e6395406fbc3976813ecade9d85e189cc2f65a3a04020dfc30d6b3c
Instruction Fuzzy Hash: 0711C275005348AFC610AB54DC8487BB7AAFFD9369F06042EE68497320E372A960DB71

Function 00DAA2A6 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2f30623b7bdebfb95b735524965386b1fa10ea9310f743f2ae1e7106c10fd2
Instruction ID: d11d41297aa76ae221f40ca5c5d9b1a8d1b0ef7a317444b7a83fea761ff61d48
Opcode Fuzzy Hash: bd2f30623b7bdebfb95b735524965386b1fa10ea9310f743f2ae1e7106c10fd2
Instruction Fuzzy Hash: 00112230A583818FDB748FAA8410276B7E1AF9331172DCA1CC4D39B344DB78A842CBA5

Function 00DDCDF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccc9df0b570711c30606642b3c6e2a49e1e1ff0538eded68a0acaf02b86f10e
Instruction ID: 61a221fa379cfbfd1d7635c6a473a7a5c99179109bf6228ad13228d16b95104a
Opcode Fuzzy Hash: 3ccc9df0b570711c30606642b3c6e2a49e1e1ff0538eded68a0acaf02b86f10e
Instruction Fuzzy Hash: 8B01D633D16A614BD319CF38CC5039673E6AB85305F498538DA45EB398DB7A98508684

Function 00DCC7DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714c4d393a7e9b0bb04db3cc6f5d75bdfc925870d2073350444094b6fdba2f21
Instruction ID: 58c2809c075b8837ca2c6d4b4626ded9d488ccaefc78439730e1e1795d99ed1d
Opcode Fuzzy Hash: 714c4d393a7e9b0bb04db3cc6f5d75bdfc925870d2073350444094b6fdba2f21
Instruction Fuzzy Hash: CBF0E9255897C345D319873D80B0B31FFD14F77350B2CA19CD5E6573D2D726880A9B60

Function 00DAA533 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 00C83DA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00C83DCF
vfprintf.MSVCRT ref: 00C83DEF
abort.MSVCRT ref: 00C83DF4
VirtualQuery.KERNEL32 ref: 00C83E8B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00C83F37
Mingw-w64 runtime failure:, xrefs: 00C83DC8
VirtualProtect failed with code 0x%x, xrefs: 00C83F06
Address %p has no image-section, xrefs: 00C83F4B

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 2a5e2f24ab9cf9ad7b6743ca0e3b8f87683742d36816f5e557080431c01ba7f9
Instruction ID: 87055ea692868baa1d0a71ad37bf58a641181906fb1856624ff67ce8fbd7dcc3
Opcode Fuzzy Hash: 2a5e2f24ab9cf9ad7b6743ca0e3b8f87683742d36816f5e557080431c01ba7f9
Instruction Fuzzy Hash: D1516BB15043019FCB10FF28D88575EBBE1FF84718F45892CE4989B211E734E949CB9A

Function 00C842D0 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00C8430F
signal.MSVCRT ref: 00C84356
signal.MSVCRT ref: 00C8436F
signal.MSVCRT ref: 00C84396
signal.MSVCRT ref: 00C843D2
signal.MSVCRT ref: 00C8441F
signal.MSVCRT ref: 00C84435
signal.MSVCRT ref: 00C8444B

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: e9f57a1f70bbef4bee9f8009364b527bb8da04edf51e9a1cdd4a59fd3d3534a0
Instruction ID: 93390aa8f3c67ea9ae2e30f212cc83bba977eb40cbb6a8285956d6a909cd530d
Opcode Fuzzy Hash: e9f57a1f70bbef4bee9f8009364b527bb8da04edf51e9a1cdd4a59fd3d3534a0
Instruction Fuzzy Hash: 873160B01082138BE7587F64E55432EB6E4FB8136DF52490DD4D4C7291EB79CA84AB1B

Function 00DC349F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00DC3561
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00DC365E

Strings

afrf, xrefs: 00DC35CB
tfff, xrefs: 00DC35BD
dfkf, xrefs: 00DC35B6

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: afrf$dfkf$tfff
API String ID: 237503144-335445692
Opcode ID: ecf3e3d91cb42554945a14dfb0e9880d07f47eef1aa84d4465dbc89f41963c49
Instruction ID: c167b4c469db6ba2601049e2c0d2d883fb0b39ed5db0258ab7ec662fc43cc97b
Opcode Fuzzy Hash: ecf3e3d91cb42554945a14dfb0e9880d07f47eef1aa84d4465dbc89f41963c49
Instruction Fuzzy Hash: B151ACB1D003149FDB14CF9ADC82B9A7AB4FB84310F15816DE904AF399C7758942CBE6

Function 00DC84C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00DC8577

Strings

B]C], xrefs: 00DC84D2
S%1e, xrefs: 00DC8546, 00DC8500
B]V], xrefs: 00DC84E2
S%1e, xrefs: 00DC8590

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B]C]$B]V]$S%1e$S%1e
API String ID: 237503144-91396555
Opcode ID: d96a942fb353a859baa952a3e4705e4a479278d8f33078b1cede7c1cb0a14150
Instruction ID: 643a05ca00eaf71f1fefc7245da1ada7b111edad3afd76334f4ba6825eeb10c6
Opcode Fuzzy Hash: d96a942fb353a859baa952a3e4705e4a479278d8f33078b1cede7c1cb0a14150
Instruction Fuzzy Hash: 5B21357261C3154FE328CF25D851BABF2E7EBC4700F11C83D9489DB2D1DAB084068796

Function 00C83F60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00C84253
Unknown pseudo relocation bit size %d., xrefs: 00C840CD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00C84080

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: b69670222a656c37ce4e22019914d87f42ff9c2e8db0a0956011fd31c48dbb5c
Instruction ID: 8b1bba6d7338764f2cda231c3c9cbc1ce9c517b86ffce09e32b01e4befe8b74a
Opcode Fuzzy Hash: b69670222a656c37ce4e22019914d87f42ff9c2e8db0a0956011fd31c48dbb5c
Instruction Fuzzy Hash: 6681D371A043128BCF14FF68D88479EBBF0FF84708F55852AE958AB254D330E9588B99

Function 00DAE042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00DAE04E

Strings

>, xrefs: 00DAE3F1
&j=, xrefs: 00DAE1DE
lackadausaz.click, xrefs: 00DAE47B

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: >$&j=$lackadausaz.click
API String ID: 3861434553-1851139727
Opcode ID: 9f0bbf44618bc45259c05b5c53e47b6011c2eec52714458fd5e741ee5c97f42e
Instruction ID: 5468c0695196f66c9f455522b602bffc2e137a98ee147ce4cc418aedd6bb4327
Opcode Fuzzy Hash: 9f0bbf44618bc45259c05b5c53e47b6011c2eec52714458fd5e741ee5c97f42e
Instruction Fuzzy Hash: B5A1EF7190D3928BD3348F29D4947ABBBE5FFD2300F28995DC4D95B265D7390409CBA2

Function 00C81001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00C8106B
__p__fmode.MSVCRT ref: 00C81070
__p__commode.MSVCRT ref: 00C8107D

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 9a17dea4a8d7304038b0098f97cc4060d20ada3e3a998aa3330248386c07a6f9
Instruction ID: 7d0fe8ad9520174e195d11abe9925ae25899f82a69485cdcdafce977a168c2d8
Opcode Fuzzy Hash: 9a17dea4a8d7304038b0098f97cc4060d20ada3e3a998aa3330248386c07a6f9
Instruction Fuzzy Hash: AB217570500642CFC714BF20DC153A937E5BB0030CFA94968C8695B655EB7AD9CEEBAD

Function 00DD328C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00DD32DA
GetSystemMetrics.USER32 ref: 00DD32E9

Strings

, xrefs: 00DD33BD

Memory Dump Source

Source File: 00000000.00000002.1699373641.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 436b5edf1a2758f824cb35eddf681e03a9cee24c403e58633a615b86c142e26e
Instruction ID: c2938f337e20357c41ef3b27efbaeed0dad4ad1f081a72cd16660f1086fece74
Opcode Fuzzy Hash: 436b5edf1a2758f824cb35eddf681e03a9cee24c403e58633a615b86c142e26e
Instruction Fuzzy Hash: 1B5183B4E142089FCB40EFACD985AAEBBF4BF48310F118529E498E7350D774A945CF92

Function 00C83D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00C83D7E

Strings

Unknown error, xrefs: 00C83D12
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00C83D5F

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0826e2dc8526212566e1e4c4f889a6e35ce6d947ef19194b1666310f3e18615d
Instruction ID: 067198c9bc7f55f06d09b8e59f8d34da55ee46b5509f3142bfd3570439666090
Opcode Fuzzy Hash: 0826e2dc8526212566e1e4c4f889a6e35ce6d947ef19194b1666310f3e18615d
Instruction Fuzzy Hash: 5A01C0B0008B45CBC700AF15E48842ABFB1FF89354F828898E5D54626ACB32D8A8C74A

Function 00C81296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 4f85ce1afb02c5b9eaec3673b5d2663b68e815e573f6db05b2153906ce2af5b0
Instruction ID: fd3f43c59ee8090ef4681a9d8a673a88504986b66eecf4f4cd76454b8eced9fa
Opcode Fuzzy Hash: 4f85ce1afb02c5b9eaec3673b5d2663b68e815e573f6db05b2153906ce2af5b0
Instruction Fuzzy Hash: BF3156B59047168FCB20EF24D8803ADBBF1FB88304F55852DD9599B311DB31AA0ACF89

Function 00C813BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00C812EB
strlen.MSVCRT ref: 00C81323
malloc.MSVCRT ref: 00C8132E
memcpy.MSVCRT ref: 00C81344

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 51305db0c768249940b33685184e1a799046fb2ed94ae8608c415adf611eec0e
Instruction ID: a22954a13d6a7253a1c0069c38dcfb5a06c321b8c680230d749c89d734bd6c87
Opcode Fuzzy Hash: 51305db0c768249940b33685184e1a799046fb2ed94ae8608c415adf611eec0e
Instruction Fuzzy Hash: 262123B59047158FCB15EF28E8803ADB7F0FB88304F55892ED949A7310EB30A909DF89

Function 00C84460 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00C84633,?,?,?,?,?,00C83C48), ref: 00C8446E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00C84633,?,?,?,?,?,00C83C48), ref: 00C84495
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00C84633,?,?,?,?,?,00C83C48), ref: 00C8449C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C84633,?,?,?,?,?,00C83C48), ref: 00C844BC

Memory Dump Source

Source File: 00000000.00000002.1699206437.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000000.00000002.1699195782.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699218333.0000000000C86000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699229368.0000000000C89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699240968.0000000000C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699345751.0000000000C8D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c80000_ronwod.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 6c7d26a1212394324404f06f4a96ba5ce203e57486dfa09f0dd62b2e301b3dbb
Instruction ID: 42f8368ca4c761d052cdccf6a0946931c31134fbf63af8decd2ce7e871e22267
Opcode Fuzzy Hash: 6c7d26a1212394324404f06f4a96ba5ce203e57486dfa09f0dd62b2e301b3dbb
Instruction Fuzzy Hash: B8F0A4B65042128BCB10BF78E9CC72EBBA4EA40318B090078DD5457319EB30A948CBAA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ronwod.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
ronwod.exe

Function 00C8346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Function 00DACC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Function 00DA9C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Function 00DAA8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Function 00DDD0D9 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Function 00DDCD20 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00DA86C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Function 00DAE6BA Relevance: 2.5, APIs: 2, Instructions: 12
COMMON

Function 00DD6B2D Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 00DACC13 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00DDCE81 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00DACBE0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Function 00DDB1A0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON