Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_4027_from_IC_Tech_Inc_6908.exe

Overview

General Information

Sample name:PO_4027_from_IC_Tech_Inc_6908.exe
Analysis ID:1583448
MD5:56559e2f9323976d428ab29bdf376e2d
SHA1:e3c4ca99d4930f8d2c98eaf9753f00c9e4c65545
SHA256:51059d6fb1f965aacd775defb57c132378f70c789fbce4ea2b9577da5ca7396e
Tags:exeMassLoggeruser-cocaman
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO_4027_from_IC_Tech_Inc_6908.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe" MD5: 56559E2F9323976D428AB29BDF376E2D)
    • RegAsm.exe (PID: 6692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7650877543:AAEHK1buhJVYBj_qDtRrTpmbtOHvJlcogS4", "Telegram Chatid": "5313937224"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xffcd:$a1: get_encryptedPassword
        • 0x10309:$a2: get_encryptedUsername
        • 0xfd5a:$a3: get_timePasswordChanged
        • 0xfe7b:$a4: get_passwordField
        • 0xffe3:$a5: set_encryptedPassword
        • 0x119b3:$a7: get_logins
        • 0x11664:$a8: GetOutlookPasswords
        • 0x11442:$a9: StartKeylogger
        • 0x11903:$a10: KeyLoggerEventArgs
        • 0x1149f:$a11: KeyLoggerEventArgsEventHandler
        00000001.00000002.2886833042.0000000002A95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.RegAsm.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.RegAsm.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                  0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 30 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T19:52:54.367212+010028032742Potentially Bad Traffic192.168.2.449730158.101.44.24280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeAvira: detected
                    Found malware configuration
                    Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7650877543:AAEHK1buhJVYBj_qDtRrTpmbtOHvJlcogS4", "Telegram Chatid": "5313937224"}
                    Multi AV Scanner detection for submitted file
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 027B9731h1_2_027B9480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 027B9E5Ah1_2_027B9A30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 027B9E5Ah1_2_027B9D87
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 158.101.44.242:80
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegAsm.exe, 00000001.00000002.2886833042.0000000002971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: RegAsm.exe, 00000001.00000002.2886833042.0000000002A0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegAsm.exe, 00000001.00000002.2886833042.0000000002A0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: RegAsm.exe, 00000001.00000002.2886833042.0000000002971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture screen (.Net source)
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    .NET source code contains very large strings
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, stubb.csLong String: Length: 131084
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: PO_4027_from_IC_Tech_Inc_6908.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027BC5301_2_027BC530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027B2DD11_2_027B2DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027B94801_2_027B9480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027BC5211_2_027BC521
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_027B946F1_2_027B946F
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PO_4027_from_IC_Tech_Inc_6908.exe
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649811616.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PO_4027_from_IC_Tech_Inc_6908.exe
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649029159.0000000000BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO_4027_from_IC_Tech_Inc_6908.exe
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, XBXNSFFNSFJFSETWYYWEYHWEEHWH.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_4027_from_IC_Tech_Inc_6908.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000001.00000002.2886833042.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.0000000002A50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeReversingLabs: Detection: 71%
                    Source: unknownProcess created: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe "C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe"
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO_4027_from_IC_Tech_Inc_6908.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe TID: 6732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegAsm.exe, 00000001.00000002.2886142340.0000000000C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, stubb.csReference to suspicious API methods: BaseApp.ReadProcessMemory(processHandle, address, ref baseAddress, 4, ref bytesRead)
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, stubb.csReference to suspicious API methods: BaseApp.VirtualAllocEx(processHandle, imageBase, size, 12288, 64)
                    Source: PO_4027_from_IC_Tech_Inc_6908.exe, stubb.csReference to suspicious API methods: BaseApp.WriteProcessMemory(Config.processInfo.ProcessHandle, newImageBase + num3, array, array.Length, ref bytesWritten)
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8EF008Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeQueries volume information: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2886833042.0000000002A95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3bad618.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b955f8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO_4027_from_IC_Tech_Inc_6908.exe.3b7d5d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO_4027_from_IC_Tech_Inc_6908.exe PID: 5724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6692, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		311
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Security Software Discovery                    		Remote Services1
                    Screen Capture                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Email Collection                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                    Process Injection                    		NTDS1
                    System Network Configuration Discovery                    		Distributed Component Object Model11
                    Archive Collected Data                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets13
                    System Information Discovery                    		SSH1
                    Data from Local System                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO_4027_from_IC_Tech_Inc_6908.exe71%ReversingLabsWin32.Trojan.Jalapeno
                    PO_4027_from_IC_Tech_Inc_6908.exe100%AviraTR/Dropper.Gen
                    PO_4027_from_IC_Tech_Inc_6908.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.96.3
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		158.101.44.242
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.org/xml/8.46.123.189lRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.comdRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.org/qPO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgdRegAsm.exe, 00000001.00000002.2886833042.0000000002A0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.org/xml/8.46.123.189dRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgRegAsm.exe, 00000001.00000002.2886833042.0000000002A0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgdRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://reallyfreegeoip.orgRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgRegAsm.exe, 00000001.00000002.2886833042.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.comRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.org/dRegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.2886833042.0000000002971000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot-/sendDocument?chat_id=PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://reallyfreegeoip.org/xml/PO_4027_from_IC_Tech_Inc_6908.exe, 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2886833042.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          188.114.96.3
                                                          		reallyfreegeoip.orgEuropean Union
                                                          		13335CLOUDFLARENETUSfalse
                                                          158.101.44.242
                                                          		checkip.dyndns.comUnited States
                                                          		31898ORACLE-BMC-31898USfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1583448
                                                          Start date and time:2025-01-02 19:52:04 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 4m 30s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:6
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:PO_4027_from_IC_Tech_Inc_6908.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 56
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target RegAsm.exe, PID 6692 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: PO_4027_from_IC_Tech_Inc_6908.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          188.114.96.3QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • filetransfer.io/data-package/u7ghXEYp/download
                                                          CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                          • www.mffnow.info/1a34/
                                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                          • www.mydreamdeal.click/1ag2/
                                                          SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.questmatch.pro/ipd6/
                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • filetransfer.io/data-package/I7fmQg9d/download
                                                          need quotations.exeGet hashmaliciousFormBookBrowse
                                                          • www.rtpwslot888gol.sbs/jmkz/
                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • filetransfer.io/data-package/Bh1Kj4RD/download
                                                          http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                          • kklk16.bsyo45ksda.top/favicon.ico
                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/XrlEIxYp/download
                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/XrlEIxYp/download
                                                          158.101.44.242ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                          • checkip.dyndns.org/
                                                          Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          Requested Documentation.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • checkip.dyndns.org/
                                                          PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • checkip.dyndns.org/
                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • checkip.dyndns.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          reallyfreegeoip.orgimage.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.97.3
                                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.67.152
                                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 172.67.177.134
                                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 172.67.177.134
                                                          HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 172.67.177.134
                                                          checkip.dyndns.comimage.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.6.168
                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 132.226.8.169
                                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                          • 193.122.130.0
                                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 132.226.247.73
                                                          ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                          • 158.101.44.242
                                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 132.226.247.73
                                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 193.122.6.168
                                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.6.168

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUShttps://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08okGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.18.142.119
                                                          https://ntta.org-pay-u5ch.sbs/us/Get hashmaliciousUnknownBrowse
                                                          • 104.18.26.193
                                                          https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 172.66.0.235
                                                          https://bit.ly/3W6tVJJ?BRK=80HiTWCpllGet hashmaliciousUnknownBrowse
                                                          • 172.66.0.227
                                                          https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.9.117
                                                          https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.9.117
                                                          https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.9.117
                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          https://goo.su/ArgdsGet hashmaliciousGRQ ScamBrowse
                                                          • 172.67.12.83
                                                          ORACLE-BMC-31898USimage.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.130.0
                                                          Hilix.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 140.238.15.187
                                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.6.168
                                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                          • 193.122.130.0
                                                          ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                          • 158.101.44.242
                                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 193.122.6.168
                                                          armv4l.elfGet hashmaliciousMiraiBrowse
                                                          • 129.148.142.134
                                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 193.122.6.168
                                                          HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 193.122.6.168

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          54328bd36c14bd82ddaa0c04b25ed9adimage.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                          • 188.114.96.3
                                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 188.114.96.3
                                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 188.114.96.3

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_4027_from_IC_Tech_Inc_6908.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):226
                                                          Entropy (8bit):5.360398796477698
                                                          Encrypted:false
                                                          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                          MD5:3A8957C6382192B71471BD14359D0B12
                                                          SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                          SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                          SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):3.912617590483663
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:PO_4027_from_IC_Tech_Inc_6908.exe
                                                          File size:340'480 bytes
                                                          MD5:56559e2f9323976d428ab29bdf376e2d
                                                          SHA1:e3c4ca99d4930f8d2c98eaf9753f00c9e4c65545
                                                          SHA256:51059d6fb1f965aacd775defb57c132378f70c789fbce4ea2b9577da5ca7396e
                                                          SHA512:6e866226bcc8ab503ec2a6e3d0d24e11741a8b120d31fcb895c39241dbe1f1682c84789f820f382cd81556e8a1dec56a24328f6bb19b4088a0e9a29faf71cca6
                                                          SSDEEP:6144:ODuSxhHV/AG4tZTjABMgcn5/lX82Oz35SNbEyHquGeKGDuGyGN:Suqh1/AG4jTjvgc5dX82Oz352bEyq
                                                          TLSH:20745B2439EA501AF173EFB58BE475AA9A6FBB733B03545D1051038B4B23A81DEC153E
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....eig................. ...........>... ...@....@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:4e4e4e0e0777f349

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x443eee
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x676965A4 [Mon Dec 23 13:29:08 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x43e940x57.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x10e00.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x41ef40x420000355f7106852c7e3bccec59960424806False0.4864132043087121data4.1047268815015245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x440000x10e000x10e002e470b329fc0ac4ee2fd7d2a294f99c8False0.16148726851851852data2.3105602784349393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x560000xc0x200a9ef0d1606756637d14ebea313529ba2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x443d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.15423518277534604
                                                          RT_GROUP_ICON0x54bf80x14data1.25
                                                          RT_VERSION0x441300x29cdata0.4416167664670659
                                                          RT_MANIFEST0x54c100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-02T19:52:54.367212+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730158.101.44.24280TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 2, 2025 19:52:53.569156885 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:52:53.573962927 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:52:53.574032068 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:52:53.577023983 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:52:53.581805944 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:52:54.155045033 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:52:54.158654928 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:52:54.163480997 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:52:54.324373960 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:52:54.335813999 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.335848093 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:54.335913897 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.349636078 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.349663973 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:54.367212057 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:52:54.813405991 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:54.813483953 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.822235107 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.822254896 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:54.822685003 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:54.875845909 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.903882027 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:54.951337099 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:55.030114889 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:55.030174017 CET44349731188.114.96.3192.168.2.4
                                                          Jan 2, 2025 19:52:55.030236006 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:52:55.103132963 CET49731443192.168.2.4188.114.96.3
                                                          Jan 2, 2025 19:53:59.335530043 CET8049730158.101.44.242192.168.2.4
                                                          Jan 2, 2025 19:53:59.335592985 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:54:34.336035967 CET4973080192.168.2.4158.101.44.242
                                                          Jan 2, 2025 19:54:34.340823889 CET8049730158.101.44.242192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 2, 2025 19:52:53.553942919 CET5892153192.168.2.41.1.1.1
                                                          Jan 2, 2025 19:52:53.561779976 CET53589211.1.1.1192.168.2.4
                                                          Jan 2, 2025 19:52:54.327285051 CET5882853192.168.2.41.1.1.1
                                                          Jan 2, 2025 19:52:54.334963083 CET53588281.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 2, 2025 19:52:53.553942919 CET192.168.2.41.1.1.10x7381Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:54.327285051 CET192.168.2.41.1.1.10xc47cStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:53.561779976 CET1.1.1.1192.168.2.40x7381No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:54.334963083 CET1.1.1.1192.168.2.40xc47cNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                          Jan 2, 2025 19:52:54.334963083 CET1.1.1.1192.168.2.40xc47cNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • reallyfreegeoip.org
                                                          • checkip.dyndns.org

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449730158.101.44.242806692C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 2, 2025 19:52:53.577023983 CET151OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                          Host: checkip.dyndns.org
                                                          Connection: Keep-Alive
                                                          Jan 2, 2025 19:52:54.155045033 CET321INHTTP/1.1 200 OK
                                                          Date: Thu, 02 Jan 2025 18:52:54 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 104
                                                          Connection: keep-alive
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          X-Request-ID: 5b40a381819c4a74799a09bb9cd48540
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                          Jan 2, 2025 19:52:54.158654928 CET127OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                          Host: checkip.dyndns.org
                                                          Jan 2, 2025 19:52:54.324373960 CET321INHTTP/1.1 200 OK
                                                          Date: Thu, 02 Jan 2025 18:52:54 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 104
                                                          Connection: keep-alive
                                                          Cache-Control: no-cache
                                                          Pragma: no-cache
                                                          X-Request-ID: 5c3905922579375ce2e0620e39c00f96
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449731188.114.96.34436692C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-02 18:52:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                          Host: reallyfreegeoip.org
                                                          Connection: Keep-Alive
                                                          2025-01-02 18:52:55 UTC855INHTTP/1.1 200 OK
                                                          Date: Thu, 02 Jan 2025 18:52:54 GMT
                                                          Content-Type: text/xml
                                                          Content-Length: 362
                                                          Connection: close
                                                          Age: 1158764
                                                          Cache-Control: max-age=31536000
                                                          cf-cache-status: HIT
                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PZHUvHghZ0vGGeA3XCnzeFISZCzVd24g8aUZzO9lkGRtdAVprpc5h3hHCx3FNyDHqA9HohCJ%2F9gzRhj0sPfa6x4HvpdOHOSsFX0KzBxPydiK06id%2F%2F4b0K9sTm1vKyuij7HuayJ5"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8fbcf2eb7d673338-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1910&min_rtt=1889&rtt_var=752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1414728&cwnd=245&unsent_bytes=0&cid=1a3c641058d1aee7&ts=230&x=0"
                                                          2025-01-02 18:52:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:13:52:51
                                                          Start date:02/01/2025
                                                          Path:C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\PO_4027_from_IC_Tech_Inc_6908.exe"
                                                          Imagebase:0x760000
                                                          File size:340'480 bytes
                                                          MD5 hash:56559E2F9323976D428AB29BDF376E2D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1649857144.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:13:52:52
                                                          Start date:02/01/2025
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                          Imagebase:0x610000
                                                          File size:65'440 bytes
                                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2885916271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2886833042.0000000002A95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:41.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:72
                                                            Total number of Limit Nodes:3
                                                            execution_graph 670 ed0848 671 ed085d 670->671 674 ed08a7 671->674 675 ed08af 674->675 679 ed0948 675->679 683 ed0938 675->683 680 ed0971 679->680 687 ed09c1 680->687 681 ed098b 681->681 684 ed093f 683->684 686 ed09c1 4 API calls 684->686 685 ed098b 685->685 686->685 688 ed09c7 687->688 689 ed0a28 688->689 691 ed0c80 688->691 689->681 695 ed0ca4 691->695 693 ed0d39 709 ed1658 693->709 694 ed0d5c 714 ed18a1 694->714 695->693 696 ed0d70 695->696 700 ed1321 695->700 705 ed05b4 695->705 696->689 702 ed132f 700->702 701 ed137a 701->695 702->701 703 ed1418 Wow64SetThreadContext 702->703 704 ed1446 703->704 704->695 706 ed1488 ReadProcessMemory 705->706 708 ed1516 706->708 708->695 711 ed1667 709->711 710 ed1747 710->694 711->710 712 ed1831 WriteProcessMemory 711->712 713 ed186c 712->713 713->694 715 ed18af 714->715 716 ed1a31 ResumeThread 715->716 718 ed1951 715->718 717 ed1a5e 716->717 717->696 718->696 737 ed15a8 738 ed15af VirtualAllocEx 737->738 740 ed162a 738->740 762 ed0f54 763 ed0f63 CreateProcessA 762->763 765 ed11fe 763->765 753 ed0577 755 ed0587 753->755 756 ed0595 755->756 758 ed059f 756->758 759 ed05ad ReadProcessMemory 758->759 761 ed1516 759->761 741 ed08a1 742 ed08a7 4 API calls 741->742 743 ed1481 744 ed14d3 ReadProcessMemory 743->744 745 ed1516 744->745 722 ed0f60 723 ed0fe9 CreateProcessA 722->723 725 ed11fe 723->725 726 ed19f0 727 ed1a31 ResumeThread 726->727 728 ed1a5e 727->728 729 ed13c0 730 ed1408 Wow64SetThreadContext 729->730 732 ed1446 730->732 733 ed17d0 734 ed181b WriteProcessMemory 733->734 736 ed186c 734->736 746 ed0690 747 ed0695 746->747 749 ed083f 747->749 750 ed0847 749->750 752 ed08a7 4 API calls 750->752 751 ed087b 752->751

                                                            Executed Functions

                                                            Function 00ED18A1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 149threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 ed18a1-ed18ea call ed0654 5 ed18ec-ed1900 0->5 6 ed1958-ed197c 0->6 9 ed19d9-ed1a5c ResumeThread 5->9 10 ed1906-ed191e call ed066c 5->10 21 ed1983-ed19a7 6->21 25 ed1a5e-ed1a64 9->25 26 ed1a65-ed1a82 9->26 16 ed1920-ed1930 call ed0678 10->16 17 ed1932 10->17 19 ed1937-ed193c 16->19 17->19 19->21 23 ed193e-ed1947 call ed0684 19->23 32 ed19ae-ed19d2 21->32 29 ed194c-ed194f 23->29 25->26 29->32 33 ed1951-ed1955 29->33 32->9
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID: D@$D@$D@
                                                            • API String ID: 947044025-2574165515
                                                            • Opcode ID: 64d8cf5abbb22a7bd3ded2d05fb6000c8cb5c3d3106406e513cabe59bcc6bc9e
                                                            • Instruction ID: a9d520d1a9859f4537f1f7a1e48f5ec63d9473848fc83abaa3cb76d91007795c
                                                            • Opcode Fuzzy Hash: 64d8cf5abbb22a7bd3ded2d05fb6000c8cb5c3d3106406e513cabe59bcc6bc9e
                                                            • Instruction Fuzzy Hash: C0510370A042489FC711EFB9C46469EBBF1EFC8310F1481AAD12DEB391DA389D06CB95
                                                            Function 00ED1658 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 39 ed1658-ed16a0 42 ed171d-ed173e call ed0654 39->42 43 ed16a2-ed16ca 39->43 48 ed1743-ed1745 42->48 53 ed16cc-ed16cf 43->53 54 ed16d1-ed1706 call ed0654 43->54 49 ed1747-ed174e 48->49 50 ed1790-ed1821 48->50 68 ed1831-ed186a WriteProcessMemory 50->68 69 ed1823-ed182f 50->69 55 ed1712-ed171b 53->55 61 ed170b-ed170d 54->61 55->42 55->43 63 ed170f 61->63 64 ed1751-ed1789 61->64 63->55 64->50 71 ed186c-ed1872 68->71 72 ed1873-ed189b 68->72 69->68 71->72
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00ED185D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID: D@$D@
                                                            • API String ID: 3559483778-3862852415
                                                            • Opcode ID: 56db21cd66b849ad296a76cd17b478a7dacbb6114a82161599ab09ad94d991e1
                                                            • Instruction ID: 22070870b93af689d5215573c2e258c896b3e939bcaa6374ac30231f57cea547
                                                            • Opcode Fuzzy Hash: 56db21cd66b849ad296a76cd17b478a7dacbb6114a82161599ab09ad94d991e1
                                                            • Instruction Fuzzy Hash: F661A3B1A002199FCB14DFA9C840ADFBBF6FF88310F10856AD519A7395DB34D906CBA5
                                                            Function 00ED0F54 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 263processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 123 ed0f54-ed0ff5 126 ed1049-ed1069 123->126 127 ed0ff7-ed101c 123->127 130 ed10bd-ed10ee 126->130 131 ed106b-ed1090 126->131 127->126 132 ed101e-ed1020 127->132 141 ed1145-ed11fc CreateProcessA 130->141 142 ed10f0-ed1118 130->142 131->130 139 ed1092-ed1094 131->139 133 ed1043-ed1046 132->133 134 ed1022-ed102c 132->134 133->126 136 ed102e 134->136 137 ed1030-ed103f 134->137 136->137 137->137 140 ed1041 137->140 143 ed10b7-ed10ba 139->143 144 ed1096-ed10a0 139->144 140->133 156 ed11fe-ed1204 141->156 157 ed1205-ed1280 141->157 142->141 149 ed111a-ed111c 142->149 143->130 145 ed10a4-ed10b3 144->145 146 ed10a2 144->146 145->145 150 ed10b5 145->150 146->145 151 ed113f-ed1142 149->151 152 ed111e-ed1128 149->152 150->143 151->141 154 ed112c-ed113b 152->154 155 ed112a 152->155 154->154 158 ed113d 154->158 155->154 156->157 167 ed1290-ed1294 157->167 168 ed1282-ed1286 157->168 158->151 169 ed12a4-ed12a8 167->169 170 ed1296-ed129a 167->170 168->167 171 ed1288-ed128b call ed029c 168->171 173 ed12b8-ed12bc 169->173 174 ed12aa-ed12ae 169->174 170->169 172 ed129c-ed129f call ed029c 170->172 171->167 172->169 178 ed12ce-ed12d5 173->178 179 ed12be-ed12c4 173->179 174->173 177 ed12b0-ed12b3 call ed029c 174->177 177->173 181 ed12ec 178->181 182 ed12d7-ed12e6 178->182 179->178 183 ed12ed 181->183 182->181 183->183
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00ED11E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID: XS
                                                            • API String ID: 963392458-1674197376
                                                            • Opcode ID: dacaeef0c3b7fb1267806a8c79dbf409dd8eba95a7afd411ff51ecd7631a90cf
                                                            • Instruction ID: a61ddda464779353c7534468f87a5906f7082eafea519d74e8f200322ff26cb7
                                                            • Opcode Fuzzy Hash: dacaeef0c3b7fb1267806a8c79dbf409dd8eba95a7afd411ff51ecd7631a90cf
                                                            • Instruction Fuzzy Hash: 43A16A71E002599FDB10DFA8C8417DDBBB2EB48304F1491AAE818F7391DB759986CF91
                                                            Function 00ED0F60 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 185 ed0f60-ed0ff5 187 ed1049-ed1069 185->187 188 ed0ff7-ed101c 185->188 191 ed10bd-ed10ee 187->191 192 ed106b-ed1090 187->192 188->187 193 ed101e-ed1020 188->193 202 ed1145-ed11fc CreateProcessA 191->202 203 ed10f0-ed1118 191->203 192->191 200 ed1092-ed1094 192->200 194 ed1043-ed1046 193->194 195 ed1022-ed102c 193->195 194->187 197 ed102e 195->197 198 ed1030-ed103f 195->198 197->198 198->198 201 ed1041 198->201 204 ed10b7-ed10ba 200->204 205 ed1096-ed10a0 200->205 201->194 217 ed11fe-ed1204 202->217 218 ed1205-ed1280 202->218 203->202 210 ed111a-ed111c 203->210 204->191 206 ed10a4-ed10b3 205->206 207 ed10a2 205->207 206->206 211 ed10b5 206->211 207->206 212 ed113f-ed1142 210->212 213 ed111e-ed1128 210->213 211->204 212->202 215 ed112c-ed113b 213->215 216 ed112a 213->216 215->215 219 ed113d 215->219 216->215 217->218 228 ed1290-ed1294 218->228 229 ed1282-ed1286 218->229 219->212 230 ed12a4-ed12a8 228->230 231 ed1296-ed129a 228->231 229->228 232 ed1288-ed128b call ed029c 229->232 234 ed12b8-ed12bc 230->234 235 ed12aa-ed12ae 230->235 231->230 233 ed129c-ed129f call ed029c 231->233 232->228 233->230 239 ed12ce-ed12d5 234->239 240 ed12be-ed12c4 234->240 235->234 238 ed12b0-ed12b3 call ed029c 235->238 238->234 242 ed12ec 239->242 243 ed12d7-ed12e6 239->243 240->239 244 ed12ed 242->244 243->242 244->244
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00ED11E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID: XS
                                                            • API String ID: 963392458-1674197376
                                                            • Opcode ID: 59b23e5048679c9698540f1170b506003601831c143bcb220b095abbfcf2881a
                                                            • Instruction ID: a939db6b03bad18bd9ca906704e68346ee6c5e557049a32afb848ac4a002e57e
                                                            • Opcode Fuzzy Hash: 59b23e5048679c9698540f1170b506003601831c143bcb220b095abbfcf2881a
                                                            • Instruction Fuzzy Hash: 34A15971E002599FDB10DFA8C8417EDBBB2EB48304F1491AAE808F7395DB759986CB91
                                                            Function 00ED1321 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 246 ed1321-ed1349 249 ed134b-ed135d call ed0604 246->249 250 ed13aa-ed140c 246->250 253 ed1362-ed1364 249->253 260 ed140e-ed1416 250->260 261 ed1418-ed1444 Wow64SetThreadContext 250->261 254 ed137a-ed137e 253->254 255 ed1366-ed1378 call ed0610 253->255 255->254 262 ed137f-ed13a3 255->262 260->261 263 ed144d-ed1475 261->263 264 ed1446-ed144c 261->264 262->250 264->263
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00ED1437
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID: D@
                                                            • API String ID: 983334009-2222373746
                                                            • Opcode ID: 53d8ff21df7de6b30373c904314469bffdcc77fd41f96d9f334161d24f1dd166
                                                            • Instruction ID: af183fbb411e22e78bfa4c7b22c48a85d01645e38cc28ac748ded168bc98636a
                                                            • Opcode Fuzzy Hash: 53d8ff21df7de6b30373c904314469bffdcc77fd41f96d9f334161d24f1dd166
                                                            • Instruction Fuzzy Hash: 0441EF71A043589FC711DFA9C45169EBBF0EF49310F1482AAD468EB392D7389D45CBA1
                                                            Function 00ED05B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 270 ed05b4-ed1514 ReadProcessMemory 273 ed151d-ed1545 270->273 274 ed1516-ed151c 270->274 274->273
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(02B4B830,?,?,?,?), ref: 00ED1507
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID: N
                                                            • API String ID: 1726664587-1689755984
                                                            • Opcode ID: 0882ca0e322c2b0f1d6ee348290c3cb8b9cff4ac5f2e7085854ea6686ec40f67
                                                            • Instruction ID: 580e65dcbd75f1138b976686c5f4d0ef757f02a2ad40774a5f4bc9a5b36c38dd
                                                            • Opcode Fuzzy Hash: 0882ca0e322c2b0f1d6ee348290c3cb8b9cff4ac5f2e7085854ea6686ec40f67
                                                            • Instruction Fuzzy Hash: 3621F5B5900359EFCB10DF9AD884ADEBBF5FB48310F10842AE958A7351D778A940CFA4
                                                            Function 00ED059F Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 277 ed059f-ed1514 ReadProcessMemory 281 ed151d-ed1545 277->281 282 ed1516-ed151c 277->282 282->281
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(02B4B830,?,?,?,?), ref: 00ED1507
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: d69d27a907c0cf7124a65595a9eb4347c24da91d4a0951c0835f8316329bb777
                                                            • Instruction ID: d3978bdb7c64b8787f9fd4d663b7cf38bd03c622cca983b3ec0218fcd388f48e
                                                            • Opcode Fuzzy Hash: d69d27a907c0cf7124a65595a9eb4347c24da91d4a0951c0835f8316329bb777
                                                            • Instruction Fuzzy Hash: B4214671900349EFCB10DF99C884ADEBBF0FF48310F10806AE558A7351D374A941CBA0
                                                            Function 00ED17D0 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 285 ed17d0-ed1821 287 ed1831-ed186a WriteProcessMemory 285->287 288 ed1823-ed182f 285->288 289 ed186c-ed1872 287->289 290 ed1873-ed189b 287->290 288->287 289->290
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00ED185D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 1d11aaf48d3517467c19f0c3d62667e1e79bf61407bb4dc5e45190728438aabe
                                                            • Instruction ID: cc0cd0940d49dec1efe1990b73426141f6f1c27bcbe3d0606b19457418d59368
                                                            • Opcode Fuzzy Hash: 1d11aaf48d3517467c19f0c3d62667e1e79bf61407bb4dc5e45190728438aabe
                                                            • Instruction Fuzzy Hash: 282103B5900359DFCB14CFAAC885BDEBBF5FB48310F10842AE918A7350D778A940CBA4
                                                            Function 00ED1481 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 293 ed1481-ed1514 ReadProcessMemory 295 ed151d-ed1545 293->295 296 ed1516-ed151c 293->296 296->295
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(02B4B830,?,?,?,?), ref: 00ED1507
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: aef0f547c79cecbb33d94a942b6c01a2ec8899d0d7678679e35d3322f37f4a83
                                                            • Instruction ID: ad1fab0cad574ce06bdfc98758bf9b9cfae35a05d15e76c4a4313e4c7857a20e
                                                            • Opcode Fuzzy Hash: aef0f547c79cecbb33d94a942b6c01a2ec8899d0d7678679e35d3322f37f4a83
                                                            • Instruction Fuzzy Hash: F921F5B5900259DFCB10CF9AD884ADEBBF5FB48310F14842AE959A7350D378A544CFA4
                                                            Function 00ED13C0 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 299 ed13c0-ed140c 301 ed140e-ed1416 299->301 302 ed1418-ed1444 Wow64SetThreadContext 299->302 301->302 303 ed144d-ed1475 302->303 304 ed1446-ed144c 302->304 304->303
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00ED1437
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 380f0300faf3efb5643c50d1f3da233389a87d7f9cbeae89fe22ceccda1a8167
                                                            • Instruction ID: 62547c2a9f50561ce084ecc64ce9903a4d921ce09ea9447019fca60198e6dc82
                                                            • Opcode Fuzzy Hash: 380f0300faf3efb5643c50d1f3da233389a87d7f9cbeae89fe22ceccda1a8167
                                                            • Instruction Fuzzy Hash: 182113B1D002699BCB10CF9AC485B9EFBB4FB48320F10816AD418B7340D378A9448FA1
                                                            Function 00ED15A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 307 ed15a8-ed15eb 309 ed15f3-ed1628 VirtualAllocEx 307->309 310 ed162a-ed1630 309->310 311 ed1631-ed164e 309->311 310->311
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00ED161B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 4e80082a716aedbbceb21f19d2967bf4a61fc7023a81f22e480ca405fe4a382c
                                                            • Instruction ID: da39508138314733ebca7a7fae5814f93eb0251b4c86e4f23cf55fd7e2dc9aee
                                                            • Opcode Fuzzy Hash: 4e80082a716aedbbceb21f19d2967bf4a61fc7023a81f22e480ca405fe4a382c
                                                            • Instruction Fuzzy Hash: F8112CB59003489FCB10CF9AC844ADEBFF4EB48320F148559E529A7250C3759544CFA0
                                                            Function 00ED15B0 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 314 ed15b0-ed1628 VirtualAllocEx 316 ed162a-ed1630 314->316 317 ed1631-ed164e 314->317 316->317
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00ED161B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 0b6bcac581e938b2e87eb7d34e02b04dd77a9ac42c0a44980abb04c1aef191a7
                                                            • Instruction ID: 9dd39eeacfbd84c749c6ee770606410063e87f77630a1b221e3cf703ead6660c
                                                            • Opcode Fuzzy Hash: 0b6bcac581e938b2e87eb7d34e02b04dd77a9ac42c0a44980abb04c1aef191a7
                                                            • Instruction Fuzzy Hash: 5A1104B5900248DFCB10DF9AC884BDEBFF4EB48320F24841AE528A7260C775A940CFA4
                                                            Function 00ED19F0 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 320 ed19f0-ed1a5c ResumeThread 322 ed1a5e-ed1a64 320->322 323 ed1a65-ed1a82 320->323 322->323
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1649631837.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ed0000_PO_4027_from_IC_Tech_Inc_6908.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 742da2d56bfc671f01a7b80eaf5ef291b977ba0e53e5df7e7413cf9d21f819c5
                                                            • Instruction ID: 371d02879691a73c0c35eeb2de5c0dca59300d0c80eb0f524d2562b18255b8e6
                                                            • Opcode Fuzzy Hash: 742da2d56bfc671f01a7b80eaf5ef291b977ba0e53e5df7e7413cf9d21f819c5
                                                            • Instruction Fuzzy Hash: FE1103B1900248CFCB20DF9AC448BDEFBF4EB48324F20845AD559A7350C774A944CFA5

                                                            Executed Functions

                                                            Function 027BC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: N
                                                            • API String ID: 0-1130791706
                                                            • Opcode ID: cc04d3c74dba846e320b628a528dd13f95e47531db6a4b5d6de438359fbdfcd3
                                                            • Instruction ID: 9da7937acfb6c8f5f49b25fcf6eb313450481f5870387755e87e8fc4190967e4
                                                            • Opcode Fuzzy Hash: cc04d3c74dba846e320b628a528dd13f95e47531db6a4b5d6de438359fbdfcd3
                                                            • Instruction Fuzzy Hash: EF73D531D10B5A8EDB11EF68C854AD9FBB1FF99300F51D69AE44867221EB70AAC4CF41
                                                            Function 027B2DD1 Relevance: 2.9, Strings: 2, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Xbq$$^q
                                                            • API String ID: 0-1593437937
                                                            • Opcode ID: c75c8fa4db3572ccb2576f7c55375c8b5439fc2e36b17abbbb59882023c2f03c
                                                            • Instruction ID: 4b3e337a7fe436dc8d7599656acc7da244a905f43487bd347b295ce357bf127f
                                                            • Opcode Fuzzy Hash: c75c8fa4db3572ccb2576f7c55375c8b5439fc2e36b17abbbb59882023c2f03c
                                                            • Instruction Fuzzy Hash: E1E15C74E002089FDF59DFB9D8547AEBBB7BF88310B148969D406EB398DE349842CB51
                                                            Function 027B9480 Relevance: .3, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a702f5cfc8d4996e45c80c56bd14dcf9b80ba63812b30754789b5b43657e635
                                                            • Instruction ID: c34c6c45d913c19cc0d91e42b0049216eb1100985ce077e868faf8e9d497e73d
                                                            • Opcode Fuzzy Hash: 3a702f5cfc8d4996e45c80c56bd14dcf9b80ba63812b30754789b5b43657e635
                                                            • Instruction Fuzzy Hash: BBC1A174E00218CFDB15DFA5D954B9DBBB2FF88304F2085A9D909AB3A4DB359985CF10
                                                            Function 027BC521 Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6cbfb3a1967150f69e728d6008135f8bcf64cc8d3fa561aeff6beb743a41a52d
                                                            • Instruction ID: e0f2da24c4d7fb3ed0db749a64365560aca8089ab0dc60c838090b1b46d473fd
                                                            • Opcode Fuzzy Hash: 6cbfb3a1967150f69e728d6008135f8bcf64cc8d3fa561aeff6beb743a41a52d
                                                            • Instruction Fuzzy Hash: 9CA12471D016198EDB11DFA9C8947DDFBB1EF89300F10C6AAE418BB260EB709A84CF41
                                                            Function 027B9A30 Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb802959f8987087e1e8d0bceb386a7577d45ff5a99a0d1242c51b2e41f4d1c7
                                                            • Instruction ID: 386f4ae88c92af5f2fb4fa05af56a52ad21b6d2b36ccbeb475a4bd68ebd9bd01
                                                            • Opcode Fuzzy Hash: cb802959f8987087e1e8d0bceb386a7577d45ff5a99a0d1242c51b2e41f4d1c7
                                                            • Instruction Fuzzy Hash: 8EA10270D00208CFDB14DFA9D998BDDBBB1FF89304F209269E518AB2A1DB749985CF54
                                                            Function 027B9D87 Relevance: .2, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 719ad301ca55fd8205b7a453638ea9da5ff659e6d747c6d3e4b4ba0c6c6e095c
                                                            • Instruction ID: 4a774442672662769e0f09da49ddd2e7f3941da649fc6bd6210d84cc7ae9887a
                                                            • Opcode Fuzzy Hash: 719ad301ca55fd8205b7a453638ea9da5ff659e6d747c6d3e4b4ba0c6c6e095c
                                                            • Instruction Fuzzy Hash: 91911270D00208CFDB15DFA9D588BDDBBB1FF49304F209269E619AB2A1DB749985CF14
                                                            Function 027B946F Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 711f1146f86995635a3d50cfa96df457f09ce5896bd6b7606d4654cd8a283a74
                                                            • Instruction ID: a55526e99867cae6893fd3261a4e4334d97843d0c84604fb07998ec6b7d54c03
                                                            • Opcode Fuzzy Hash: 711f1146f86995635a3d50cfa96df457f09ce5896bd6b7606d4654cd8a283a74
                                                            • Instruction Fuzzy Hash: 0A41D474D01248CBEB18CFA6D8546DDBBF2AF89300F24D12AD919AB3A5DB345946CF50
                                                            Function 027BB500 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                            • API String ID: 0-1895975235
                                                            • Opcode ID: fc237cefe10f16213b53da4d7f52a2a948eafa84164feff6f5b6c8f58f9e748b
                                                            • Instruction ID: 44374df3ea29517a5c007d54d272111b4de56cd977c3ac4f026a3c8dc106f1b2
                                                            • Opcode Fuzzy Hash: fc237cefe10f16213b53da4d7f52a2a948eafa84164feff6f5b6c8f58f9e748b
                                                            • Instruction Fuzzy Hash: 9CD1A231B042088FCB15DB68C894BEE7BB6EF89324F245569E905EB3A1CB35DC45CB91
                                                            Function 027BAD3D Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $Hbq$Hbq$Hbq
                                                            • API String ID: 0-580995494
                                                            • Opcode ID: f296b435902cbce29852b9b7bb342d9234806d331f0cd01a2e72c20ef22ad623
                                                            • Instruction ID: b2ddb714d407b628f178a8ae6f933fc68457e21219bd8db8929e70603b4be245
                                                            • Opcode Fuzzy Hash: f296b435902cbce29852b9b7bb342d9234806d331f0cd01a2e72c20ef22ad623
                                                            • Instruction Fuzzy Hash: 60A1D334B002489FDB165F78A8587BE7BA2EF85368F654219ED22973D0CF349C05CB65
                                                            Function 027B2B73 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Xbq$Xbq
                                                            • API String ID: 0-1243427068
                                                            • Opcode ID: 13d2ed74dfda639526ada20e3d64a966c10c3a4f525b6a19f5f69998fcb1042b
                                                            • Instruction ID: 25e9b06daae39d57eebba26acee67ad7d0b6a845e8515f3f8579759909d02249
                                                            • Opcode Fuzzy Hash: 13d2ed74dfda639526ada20e3d64a966c10c3a4f525b6a19f5f69998fcb1042b
                                                            • Instruction Fuzzy Hash: 8E71B2206472494ACF3B8EBDCC943F67762AFAE161B54045FEC82B615BEF2084C7C256
                                                            Function 027B3F78 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PH^q$PH^q
                                                            • API String ID: 0-1598597984
                                                            • Opcode ID: c476a2edd07b27b7656abe879026f79d50e82624eda8feebda4431f93b792af8
                                                            • Instruction ID: 0838caaec9f11935aef9561cdb05f38a9ea668c3ac40357dcb3de4294e85537b
                                                            • Opcode Fuzzy Hash: c476a2edd07b27b7656abe879026f79d50e82624eda8feebda4431f93b792af8
                                                            • Instruction Fuzzy Hash: E451C174E012488FDB48DFA9D594AEDBBF2FF89310F109469E815AB369DB309846CF10
                                                            Function 027BB869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8cq$TJcq
                                                            • API String ID: 0-1920894394
                                                            • Opcode ID: 7367751186e0648c3b7c3f2149c2ed12bd00b6da09f4a5ad4030bb6af31548f8
                                                            • Instruction ID: a43cb206a2315631f4c9248e038dda4102ae4b6f48b3700040e1cd304afeaf83
                                                            • Opcode Fuzzy Hash: 7367751186e0648c3b7c3f2149c2ed12bd00b6da09f4a5ad4030bb6af31548f8
                                                            • Instruction Fuzzy Hash: F3310435B401098FCB05EFA8C584EDDBBB2EF88324F555494E905AB365CB70EC85CBA1
                                                            Function 027BB89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8cq$TJcq
                                                            • API String ID: 0-1920894394
                                                            • Opcode ID: d6f02cd641a9df03cd8d79e908495ae99465a40cd8765834ccf81ad8e8376b2c
                                                            • Instruction ID: 36c064ff195c8a8b145dd258e284e3d072dd2da2a4c41d3a173ed0f64bfcd58f
                                                            • Opcode Fuzzy Hash: d6f02cd641a9df03cd8d79e908495ae99465a40cd8765834ccf81ad8e8376b2c
                                                            • Instruction Fuzzy Hash: 85313535B401098FCB05EFA8C584EDDBBB2EF88324F155094E905AB3A5CB70EC85CBA1
                                                            Function 027B0B20 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LR^q
                                                            • API String ID: 0-2625958711
                                                            • Opcode ID: 6168001f00271a6317f0700642e11771880ede762b2f4d2a2960d4317edab53a
                                                            • Instruction ID: 6efbef10eb8fe4f500ef7b0f22d5abd68259849c6a220468f6ffcc41de18ef7f
                                                            • Opcode Fuzzy Hash: 6168001f00271a6317f0700642e11771880ede762b2f4d2a2960d4317edab53a
                                                            • Instruction Fuzzy Hash: 27A1DA78E5420ACFCF05EFA8E99499DBBB2FB44305B104929D405AF3A9DB706D49DF80
                                                            Function 027B0B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LR^q
                                                            • API String ID: 0-2625958711
                                                            • Opcode ID: 3fdc2f2eff02dde129c254fc71dd48a02499ccbe54c1788c50a06cd6e411052d
                                                            • Instruction ID: d1bf0791f4420f82ca7c1218850702dec2ad3cadd315cad14c12ee13673583a2
                                                            • Opcode Fuzzy Hash: 3fdc2f2eff02dde129c254fc71dd48a02499ccbe54c1788c50a06cd6e411052d
                                                            • Instruction Fuzzy Hash: 86A1EC78E5420ACFCF05EFA8E99499DBBB2FB48304B104929D405AF3A9DB306D45CF80
                                                            Function 027BBC98 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Hbq
                                                            • API String ID: 0-1245868
                                                            • Opcode ID: 068e3b5d5075847338fc3a160424c2b272fa19f44952d672e54963594db5ad91
                                                            • Instruction ID: 12965c5d4291701b1654927c7796ffbda2d59602055b5215849fea87694a4ba1
                                                            • Opcode Fuzzy Hash: 068e3b5d5075847338fc3a160424c2b272fa19f44952d672e54963594db5ad91
                                                            • Instruction Fuzzy Hash: E031B231A002489FCB05EFB9D854AAE7BAAEF89304F1445B9E909DB351DE34DD06CB91
                                                            Function 027BBE0B Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Hbq
                                                            • API String ID: 0-1245868
                                                            • Opcode ID: ad8de7d082eaac5cbdb0ecf40ece5f0dd2b79baa8e70caf2d623dc1fd525ce04
                                                            • Instruction ID: acde48d6c510f0e22b69908fd7b09d245fc94e9aa8713da26d5686d87603fffa
                                                            • Opcode Fuzzy Hash: ad8de7d082eaac5cbdb0ecf40ece5f0dd2b79baa8e70caf2d623dc1fd525ce04
                                                            • Instruction Fuzzy Hash: AD31EA31A042489FCB45EF79C8547AE7FB6EF89300F1544A9E905DB351DA34DE05CB51
                                                            Function 027BBF6F Relevance: .2, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 392489a756af5fb0be006cac7bd933758e07c772df1b4038b4465857088c27b9
                                                            • Instruction ID: 68945cf646a8487c33ac2aaae97e8c114c025e19eb4d4a33342556fc41aa6e43
                                                            • Opcode Fuzzy Hash: 392489a756af5fb0be006cac7bd933758e07c772df1b4038b4465857088c27b9
                                                            • Instruction Fuzzy Hash: 0D51C172B046059FCB168A69DC44BAABBB9EFC9324F14C53EE529D7750D631D8018760
                                                            Function 027B3168 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb3c2be39a1d061eca05113f90c8d4a03d2e6ce5f86c34cd594e0f90866425d6
                                                            • Instruction ID: 5706325691a72761368b0756631756a31777c79edf40f309af320f53292bb7d3
                                                            • Opcode Fuzzy Hash: fb3c2be39a1d061eca05113f90c8d4a03d2e6ce5f86c34cd594e0f90866425d6
                                                            • Instruction Fuzzy Hash: 8E41A374E01208DFDB09DFA9D894ADEBBB2BF89304F249529E405BB364DB349945CF14
                                                            Function 027B9249 Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3afa7fb1ba636a49d9cc2b0a430c4d5f563548f56bbe134445cd6782b08a2f5a
                                                            • Instruction ID: 6cbd9b6e7ab929f7c000ec8b50de6eda2cbc71224119ef842ebb4a9bb5438559
                                                            • Opcode Fuzzy Hash: 3afa7fb1ba636a49d9cc2b0a430c4d5f563548f56bbe134445cd6782b08a2f5a
                                                            • Instruction Fuzzy Hash: 1931EC3042220FCFC2402F31B5EC27ABBB0FB0FB237866D05E40A84422CB3928869F11
                                                            Function 027B18C8 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f05d78de31c634a7f7fe2628fafdce4d3848ad4052c1abc7320eca689c91ed4
                                                            • Instruction ID: 3d9da6324dfbc8e678f813e79833e955e3d666ce6cc1748d3124950e37ef0250
                                                            • Opcode Fuzzy Hash: 5f05d78de31c634a7f7fe2628fafdce4d3848ad4052c1abc7320eca689c91ed4
                                                            • Instruction Fuzzy Hash: 73219D75A002469FCB25DF24C460AEE77A5EF8D664B50C419D84E9B280EB34EA06CBD2
                                                            Function 026ED030 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886387515.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_26ed000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 885da94508ae8df872fe59b565d0808803d73eceacfaa856b3cb52294d68e211
                                                            • Instruction ID: b94ce9a53089a936c37351cd1ad5e41bd98d07a30d958cb27c9ad4e300bd3384
                                                            • Opcode Fuzzy Hash: 885da94508ae8df872fe59b565d0808803d73eceacfaa856b3cb52294d68e211
                                                            • Instruction Fuzzy Hash: 57212671504284DFDF14DF14D9C0B26BBA9FB84314F28C56DD80A4B396C33AD447CA62
                                                            Function 026ED006 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886387515.00000000026ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 026ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_26ed000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3784de46ad9218d721ef428ada28cbcc5ce7b543019e4033e0ad7aff6161ca8
                                                            • Instruction ID: 2b03e59e130f6bce8ecbbd74b71069f84ef1f24d82061b99b6c1cf1005d1fe0a
                                                            • Opcode Fuzzy Hash: f3784de46ad9218d721ef428ada28cbcc5ce7b543019e4033e0ad7aff6161ca8
                                                            • Instruction Fuzzy Hash: 852148715093C09FCB038F24D994711BF75AB46214F29C5DBD8898F2A7C33A985ACB62
                                                            Function 027B0EC8 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 326babdc41c34cb13c52e4db27cec4961fe31d0c84ea248dd0cff7e1aa1c05ec
                                                            • Instruction ID: 596b8747ba78a432e6e6684d4dc23fd59f13b0e8bd60b10601747a8eb36a2d55
                                                            • Opcode Fuzzy Hash: 326babdc41c34cb13c52e4db27cec4961fe31d0c84ea248dd0cff7e1aa1c05ec
                                                            • Instruction Fuzzy Hash: 24216A74E052099FCB06EFB8D5447EEBBB2EF85304F2085A9C4156B394DB749A45CF81
                                                            Function 027B17B8 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 85922f06a93529afd898b3e5f69055096541ee6ec22e092b05eb896c570d9d64
                                                            • Instruction ID: 7ffe4e228f843769c38680c81248358f0483b8e01d48b9aaa0124a542d0a3053
                                                            • Opcode Fuzzy Hash: 85922f06a93529afd898b3e5f69055096541ee6ec22e092b05eb896c570d9d64
                                                            • Instruction Fuzzy Hash: 48212775D052498FCB01DFA8D8842EDBFF0EF0A314F1441AAD449BA251EB304A94CBA1
                                                            Function 027BBB48 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee581c81570d4db775cd7c99c44fa8ccbfaaa9f7321a56b394ef5a7dbfc70e08
                                                            • Instruction ID: 76864d83c1a5744672db89d37d57ca9a3b6a8ae623b847de99633dd0022527cc
                                                            • Opcode Fuzzy Hash: ee581c81570d4db775cd7c99c44fa8ccbfaaa9f7321a56b394ef5a7dbfc70e08
                                                            • Instruction Fuzzy Hash: 6E118C367002048FD715DB69D988F56B7E6FF88725B108469E94ACB374CB71EC05CB50
                                                            Function 027B0FB8 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d35e85c9365707cfcd2b656fefd68c9ff079a29668e90044bfecd9cdee10131
                                                            • Instruction ID: e657bfa82f2de330001a4507a6c1fb1b6ee071fce1759666a28ff8276f583443
                                                            • Opcode Fuzzy Hash: 1d35e85c9365707cfcd2b656fefd68c9ff079a29668e90044bfecd9cdee10131
                                                            • Instruction Fuzzy Hash: 94115E30B092498FCF26AEB4D0447EEB772EF92318F2046A9D4455B694DB759C46CF81
                                                            Function 027BC108 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8aa376e10f03279a65ed936f9b75207cdb01fe9f1ca473727aa7e5cb82571c3f
                                                            • Instruction ID: f45368ffbf183894a3af901820762a86fa89c5f1f05c1f7c001f5fd2ed47cc7c
                                                            • Opcode Fuzzy Hash: 8aa376e10f03279a65ed936f9b75207cdb01fe9f1ca473727aa7e5cb82571c3f
                                                            • Instruction Fuzzy Hash: CE1191B5E002198FCB12EFB894546DEBBF2AF98214B04953AD409F3200DB319C428BE1
                                                            Function 027B4850 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8941de232e754944f1cabcc4522a8e7c1c4758282cb342ffa742ff31d43372b6
                                                            • Instruction ID: fd5bb48af010c8a154b0641aaac10a9d4b7be1aec5790e55483520cbab57cb7e
                                                            • Opcode Fuzzy Hash: 8941de232e754944f1cabcc4522a8e7c1c4758282cb342ffa742ff31d43372b6
                                                            • Instruction Fuzzy Hash: 6B012836F003521FDB259BB9882836F77E7AF852587058879D909CB355FF74C8068792
                                                            Function 027B4860 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0694d4c5a803fd186760565e468f050f1d12dff138c72015c087237c43d2f9fc
                                                            • Instruction ID: 8f143cd1012ee260bfc70f22bddda2c3b37aa7c5181dc6bb83f722d1bea0fd0a
                                                            • Opcode Fuzzy Hash: 0694d4c5a803fd186760565e468f050f1d12dff138c72015c087237c43d2f9fc
                                                            • Instruction Fuzzy Hash: 1501A236B002515FDB25AAB9886876F77EBAFC45283148839D909C7355FE70C8064792
                                                            Function 027BBEE9 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da050d876d9ef6947dfa7f78562bd4f8274463a86c78a418d843acf04d7f7a52
                                                            • Instruction ID: 0a3dbe42f9c64893ddcfaab7dfd5b1c96a16a0014cd58b7514c4ac1748b57e16
                                                            • Opcode Fuzzy Hash: da050d876d9ef6947dfa7f78562bd4f8274463a86c78a418d843acf04d7f7a52
                                                            • Instruction Fuzzy Hash: B5014C316042485FCB166B34A8184AD3F76DFC6210B06406AE906CB391CF39CD05C791
                                                            Function 027BA508 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 819b971ccdd3309f7382aaf03010d924f5299c044e81167d427f4a20749ca7ca
                                                            • Instruction ID: 874d874d4d715287d351b0062345ab7e9c8735738af244475d76b72f87de17e6
                                                            • Opcode Fuzzy Hash: 819b971ccdd3309f7382aaf03010d924f5299c044e81167d427f4a20749ca7ca
                                                            • Instruction Fuzzy Hash: 88019E71E0021D9FCF14EF69E8486EE7BB5FF88310B01402AE91AD7250DB349E10CBA1
                                                            Function 027BA4F9 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3147b5fecd16cca4719e6f78bde6d5deed8ce83c069758196eea9085d7d242a2
                                                            • Instruction ID: 342839c5a8a9f67dcba70717d4aa0eac33d2b77deea4e431c9c9627aaf5882d0
                                                            • Opcode Fuzzy Hash: 3147b5fecd16cca4719e6f78bde6d5deed8ce83c069758196eea9085d7d242a2
                                                            • Instruction Fuzzy Hash: E7017171A0011DDFCB15DFA8E8546EE7BB5FF88310B01412AE959D3250D7345E10DBA1
                                                            Function 027BC1A0 Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f018290ecd2426dd478176dbdfb12d82a848771da60b164557777820669500d
                                                            • Instruction ID: 3a5cdbbdf26154f35478d1ddf4d0b874c85a3cfeebbede2edb7f9de2ec02b2fb
                                                            • Opcode Fuzzy Hash: 2f018290ecd2426dd478176dbdfb12d82a848771da60b164557777820669500d
                                                            • Instruction Fuzzy Hash: FEF0B4727005154FCB1A5A69E8147DEB7AAEFC4324B14407AE908EB350CE21CC028750
                                                            Function 027BB9E9 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3dc290f234cb91f7e294c4ec4e54e1742c5a9842494375210109ad3f4feaca6
                                                            • Instruction ID: dd64dde3652f6e4518bf918d136251b6909211cd4d10529226a36801c6648603
                                                            • Opcode Fuzzy Hash: f3dc290f234cb91f7e294c4ec4e54e1742c5a9842494375210109ad3f4feaca6
                                                            • Instruction Fuzzy Hash: DBF06271905208AF8B51DF7AD4449DFBFF6EF88350B14853AE90993200E6B09A56CBD2
                                                            Function 027BBE98 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f97a8c1eca5af34e9537db4b69fa5cb5c1e5167cbd689661cc6f1edcb33ccc7
                                                            • Instruction ID: 0391b1f8255d49ee245930a12aa3733ecb32e65b82f7f5fabb76243f422a6d7f
                                                            • Opcode Fuzzy Hash: 8f97a8c1eca5af34e9537db4b69fa5cb5c1e5167cbd689661cc6f1edcb33ccc7
                                                            • Instruction Fuzzy Hash: 53F0DA353405059FC711DF69D484D6ABBAAFF88725B554169FA0987331CB71AC11CB90
                                                            Function 027B46C9 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b52aa258dbedf8dbc943a62ad6a32872644928a2612bea978fc25fa604c0fd5
                                                            • Instruction ID: c866c956ef0a41c5b0e351bc195e0e0a1223e344dfcdf1d0e8b434b64d664b5a
                                                            • Opcode Fuzzy Hash: 7b52aa258dbedf8dbc943a62ad6a32872644928a2612bea978fc25fa604c0fd5
                                                            • Instruction Fuzzy Hash: EDF092718A1242CFDF616B34A4AD3AE7B71EF0B31BB947C00A40B89062CB3100A5CF14
                                                            Function 027BBE96 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4643cc3b1873bc687b6a291922c0d68bced97cf27dfe305157f13d3a054e2e90
                                                            • Instruction ID: 96aab3d8cd751179c5f00de777ea49958e7c9355e28f722d63160ffdd2f38746
                                                            • Opcode Fuzzy Hash: 4643cc3b1873bc687b6a291922c0d68bced97cf27dfe305157f13d3a054e2e90
                                                            • Instruction Fuzzy Hash: D0E092353001059FC7018F59E484E9AFBAAEF88324B548039FA0987230CB718C15CB80
                                                            Function 027B46D8 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dce333af5baa7e1ae84637287ee16bee0e8d9038ebe8dac983061758c825d946
                                                            • Instruction ID: 5b2d973f1be05b30cd7f43061c7a260fbba6d5ead64f427ebe97ae4a2ab817a2
                                                            • Opcode Fuzzy Hash: dce333af5baa7e1ae84637287ee16bee0e8d9038ebe8dac983061758c825d946
                                                            • Instruction Fuzzy Hash: 46E009748A2706CFEF502B74B5AC27E7B65EB0B31BB947D00A10F9D0618F7144A48E55
                                                            Function 027B1877 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eeca555f05e54d333d194c0288a4ebcf24c2b9d9dbd8ded884de94659581158a
                                                            • Instruction ID: 90d80c40d79f8b3604bdda55ebc1ecbea54ac5eca668c2857dd4d0a6e478473a
                                                            • Opcode Fuzzy Hash: eeca555f05e54d333d194c0288a4ebcf24c2b9d9dbd8ded884de94659581158a
                                                            • Instruction Fuzzy Hash: 3AE04F35D207278BCB02AFB4EC002DDB734AF92325F558252C46876191EB342A5ECBA2
                                                            Function 027B1888 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1792eda212be32c1eb64e969123d9cc60ef100f3594889d3ceac67fb0cf2b66
                                                            • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                            • Opcode Fuzzy Hash: f1792eda212be32c1eb64e969123d9cc60ef100f3594889d3ceac67fb0cf2b66
                                                            • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                            Function 027BBF48 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d621083de3afeb07ac84ce0f24b6664a41968ee9e32b24922e921713fca75d8b
                                                            • Instruction ID: ddd7d751f9bc560d922d447ecd095123f4a38f810f9a60aecf6686ee582f467e
                                                            • Opcode Fuzzy Hash: d621083de3afeb07ac84ce0f24b6664a41968ee9e32b24922e921713fca75d8b
                                                            • Instruction Fuzzy Hash: EDD0C736300118675B051A49B8048AE7B6EE7DD7717058026F91583350CF795D1197D5
                                                            Function 027B4831 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2886539399.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_27b0000_RegAsm.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8856e82224e982a8e02f3c1e811ff8151c7a851a7d0851d78eaded97691473a8
                                                            • Instruction ID: 59757406f323f6f66edd69882e6284628c56f0acc768ff5ba614f42d350645a9
                                                            • Opcode Fuzzy Hash: 8856e82224e982a8e02f3c1e811ff8151c7a851a7d0851d78eaded97691473a8
                                                            • Instruction Fuzzy Hash: 9CC0486484E2C10FDB078BB448792A5BFB0AF0724AF1908CBC0C19A0D7D218621AC702