Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

Overview

General Information

Sample name:Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
Analysis ID:1542953
MD5:cdb36d7e12b4b09cc17a4acb15abcb32
SHA1:22bac6bed40f58042c26c64f27fa6d1ba62bdf8b
SHA256:c51201337af75df4850b5392117e54eedfa2f1ac133e891947ece8102cdda0d0
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Adobe.exe (PID: 5480 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
    • Adobe.exe (PID: 2992 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
  • Adobe.exe (PID: 2128 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
    • Adobe.exe (PID: 4040 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
  • Adobe.exe (PID: 420 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
    • Adobe.exe (PID: 1732 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
    • Adobe.exe (PID: 2364 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: CDB36D7E12B4B09CC17A4ACB15ABCB32)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Mutex": "8", "Keylog flag": "logs.dat", "Keylog path": "Disable", "Keylog file": "Disable", "Keylog crypt": "Disable", "Hide keylog file": "1", "Screenshot flag": "Disable", "Screenshot time": "", "Take Screenshot option": "5", "Take screenshot title": "6", "Take screenshot time": "Screenshots", "Screenshot path": "Disable", "Screenshot file": "Disable", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "0", "Audio path": "Temp", "Audio folder": "", "Connect delay": "0", "Copy folder": "255D888404B9C193806CB403D579CFED", "Keylog file max size": "Enable"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 47 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4a8:$a1: Remcos restarted by watchdog!
                • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6656c:$str_b2: Executing file:
                • 0x675ec:$str_b3: GetDirectListeningPort
                • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67118:$str_b7: \update.vbs
                • 0x66594:$str_b9: Downloaded file:
                • 0x66580:$str_b10: Downloading file:
                • 0x66624:$str_b12: Failed to upload file:
                • 0x675b4:$str_b13: StartForward
                • 0x675d4:$str_b14: StopForward
                • 0x67070:$str_b15: fso.DeleteFile "
                • 0x67004:$str_b16: On Error Resume Next
                • 0x670a0:$str_b17: fso.DeleteFolder "
                • 0x66614:$str_b18: Uploaded file:
                • 0x665d4:$str_b19: Unable to delete:
                • 0x67038:$str_b20: while fso.FileExists("
                • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x6637c:$s1: CoGetObject
                • 0x66390:$s1: CoGetObject
                • 0x663ac:$s1: CoGetObject
                • 0x70338:$s1: CoGetObject
                • 0x6633c:$s2: Elevation:Administrator!new:
                Click to see the 95 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessId: 5676, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, ProcessId: 5676, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T00:26:02.171573+020020365941Malware Command and Control Activity Detected192.168.2.450032104.250.180.1787902TCP
                2024-10-27T00:26:11.441815+020020365941Malware Command and Control Activity Detected192.168.2.449733104.250.180.1787902TCP
                2024-10-27T00:26:21.018529+020020365941Malware Command and Control Activity Detected192.168.2.449736104.250.180.1787902TCP
                2024-10-27T00:26:30.527977+020020365941Malware Command and Control Activity Detected192.168.2.449743104.250.180.1787902TCP
                2024-10-27T00:26:40.017205+020020365941Malware Command and Control Activity Detected192.168.2.449744104.250.180.1787902TCP
                2024-10-27T00:26:49.520874+020020365941Malware Command and Control Activity Detected192.168.2.449745104.250.180.1787902TCP
                2024-10-27T00:26:59.044860+020020365941Malware Command and Control Activity Detected192.168.2.449746104.250.180.1787902TCP
                2024-10-27T00:27:08.540749+020020365941Malware Command and Control Activity Detected192.168.2.449764104.250.180.1787902TCP
                2024-10-27T00:27:18.086991+020020365941Malware Command and Control Activity Detected192.168.2.449809104.250.180.1787902TCP
                2024-10-27T00:27:27.586798+020020365941Malware Command and Control Activity Detected192.168.2.449861104.250.180.1787902TCP
                2024-10-27T00:27:37.115641+020020365941Malware Command and Control Activity Detected192.168.2.449912104.250.180.1787902TCP
                2024-10-27T00:27:46.619432+020020365941Malware Command and Control Activity Detected192.168.2.449968104.250.180.1787902TCP
                2024-10-27T00:27:56.337149+020020365941Malware Command and Control Activity Detected192.168.2.450018104.250.180.1787902TCP
                2024-10-27T00:28:05.867282+020020365941Malware Command and Control Activity Detected192.168.2.450019104.250.180.1787902TCP
                2024-10-27T00:28:15.362379+020020365941Malware Command and Control Activity Detected192.168.2.450020104.250.180.1787902TCP
                2024-10-27T00:28:24.872246+020020365941Malware Command and Control Activity Detected192.168.2.450021104.250.180.1787902TCP
                2024-10-27T00:28:34.379141+020020365941Malware Command and Control Activity Detected192.168.2.450022104.250.180.1787902TCP
                2024-10-27T00:28:43.883422+020020365941Malware Command and Control Activity Detected192.168.2.450023104.250.180.1787902TCP
                2024-10-27T00:28:53.389175+020020365941Malware Command and Control Activity Detected192.168.2.450024104.250.180.1787902TCP
                2024-10-27T00:29:02.893154+020020365941Malware Command and Control Activity Detected192.168.2.450025104.250.180.1787902TCP
                2024-10-27T00:29:12.408281+020020365941Malware Command and Control Activity Detected192.168.2.450026104.250.180.1787902TCP
                2024-10-27T00:29:21.911274+020020365941Malware Command and Control Activity Detected192.168.2.450027104.250.180.1787902TCP
                2024-10-27T00:29:31.414962+020020365941Malware Command and Control Activity Detected192.168.2.450028104.250.180.1787902TCP
                2024-10-27T00:29:41.335258+020020365941Malware Command and Control Activity Detected192.168.2.450029104.250.180.1787902TCP
                2024-10-27T00:29:50.848889+020020365941Malware Command and Control Activity Detected192.168.2.450030104.250.180.1787902TCP
                2024-10-27T00:30:00.375238+020020365941Malware Command and Control Activity Detected192.168.2.450031104.250.180.1787902TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Mutex": "8", "Keylog flag": "logs.dat", "Keylog path": "Disable", "Keylog file": "Disable", "Keylog crypt": "Disable", "Hide keylog file": "1", "Screenshot flag": "Disable", "Screenshot time": "", "Take Screenshot option": "5", "Take screenshot title": "6", "Take screenshot time": "Screenshots", "Screenshot path": "Disable", "Screenshot file": "Disable", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "0", "Audio path": "Temp", "Audio folder": "", "Connect delay": "0", "Copy folder": "255D888404B9C193806CB403D579CFED", "Keylog file max size": "Enable"}
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 68%
                Multi AV Scanner detection for submitted file
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeReversingLabs: Detection: 68%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713552944.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6380, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2364, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_00433837
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_05e49f42-3

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004074FD _wcslen,CoGetObject,2_2_004074FD
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: sdmQ.pdbSHA256X source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.dr
                Source: Binary string: sdmQ.pdb source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.dr
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409253
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C291
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C34D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409665
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_0040880C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040783C FindFirstFileW,FindNextFileW,2_2_0040783C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419AF5
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB30
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD37
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407C97

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49744 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49746 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49764 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49861 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49809 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49912 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49968 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50018 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50021 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50024 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50022 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50025 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50027 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50019 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50028 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50026 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50029 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50023 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50020 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50031 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50030 -> 104.250.180.178:7902
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50032 -> 104.250.180.178:7902
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 104.250.180.178
                Source: global trafficTCP traffic: 192.168.2.4:49733 -> 104.250.180.178:7902
                Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_0041B380
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1726948563.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000002_2_0040A2B8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B70E
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004168C1
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,2_2_0040B70E
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,2_2_0040A3E0

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713552944.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6380, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2364, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041C9E2 SystemParametersInfoW,2_2_0041C9E2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\ProgramData\Adobe\Adobe.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A62CA8 NtQueryInformationProcess,0_2_07A62CA8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A62CA0 NtQueryInformationProcess,0_2_07A62CA0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09462CA8 NtQueryInformationProcess,3_2_09462CA8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09462CA7 NtQueryInformationProcess,3_2_09462CA7
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F92CA8 NtQueryInformationProcess,5_2_06F92CA8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F92CA0 NtQueryInformationProcess,5_2_06F92CA0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA2CA8 NtQueryInformationProcess,8_2_06CA2CA8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA2CA0 NtQueryInformationProcess,8_2_06CA2CA0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E2CA8 NtQueryInformationProcess,12_2_075E2CA8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E2CA0 NtQueryInformationProcess,12_2_075E2CA0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167B4
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_0314D3040_2_0314D304
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_058E74E00_2_058E74E0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_058E74D30_2_058E74D3
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_058E00060_2_058E0006
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_058E00400_2_058E0040
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_0752F3F80_2_0752F3F8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_0752CA100_2_0752CA10
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_0752A1580_2_0752A158
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_075299E00_2_075299E0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_075265780_2_07526578
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_075263100_2_07526310
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A634040_2_07A63404
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A650200_2_07A65020
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A600400_2_07A60040
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A68AC00_2_07A68AC0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6B7180_2_07A6B718
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6D6210_2_07A6D621
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6D6300_2_07A6D630
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A625780_2_07A62578
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A652A30_2_07A652A3
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A652B00_2_07A652B0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A620B80_2_07A620B8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A600070_2_07A60007
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A650130_2_07A65013
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6BF880_2_07A6BF88
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6BF790_2_07A6BF79
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A62E280_2_07A62E28
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A61C700_2_07A61C70
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6BB500_2_07A6BB50
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A68AB10_2_07A68AB1
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6DA680_2_07A6DA68
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07A6DA580_2_07A6DA58
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07F01B580_2_07F01B58
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07F019620_2_07F01962
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0043E0CC2_2_0043E0CC
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041F0FA2_2_0041F0FA
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004541592_2_00454159
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004381682_2_00438168
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004461F02_2_004461F0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0043E2FB2_2_0043E2FB
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0045332B2_2_0045332B
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0042739D2_2_0042739D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004374E62_2_004374E6
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0043E5582_2_0043E558
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004387702_2_00438770
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004378FE2_2_004378FE
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004339462_2_00433946
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0044D9C92_2_0044D9C9
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00427A462_2_00427A46
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041DB622_2_0041DB62
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00427BAF2_2_00427BAF
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00437D332_2_00437D33
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00435E5E2_2_00435E5E
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00426E0E2_2_00426E0E
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0043DE9D2_2_0043DE9D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00413FCA2_2_00413FCA
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00436FEA2_2_00436FEA
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0332D3043_2_0332D304
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_07711AB83_2_07711AB8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_094600403_2_09460040
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_094686B83_2_094686B8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946BB703_2_0946BB70
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09464BC03_2_09464BC0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946BB803_2_0946BB80
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09464BB03_2_09464BB0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09464BBF3_2_09464BBF
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09461C703_2_09461C70
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09461C803_2_09461C80
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09464E4F3_2_09464E4F
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09464E503_2_09464E50
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_094620B83_2_094620B8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946E34C3_2_0946E34C
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946B3103_2_0946B310
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946D2173_2_0946D217
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946D2283_2_0946D228
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_094625783_2_09462578
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946B7483_2_0946B748
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946D6513_2_0946D651
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_0946D6603_2_0946D660
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_094686A93_2_094686A9
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F933FC5_2_06F933FC
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F900405_2_06F90040
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F950205_2_06F95020
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F98AC05_2_06F98AC0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9D6305_2_06F9D630
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9D6215_2_06F9D621
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9B7185_2_06F9B718
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F925785_2_06F92578
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F952B05_2_06F952B0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F952A35_2_06F952A3
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F920B85_2_06F920B8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F950135_2_06F95013
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F900065_2_06F90006
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F92E285_2_06F92E28
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9BF885_2_06F9BF88
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9BF795_2_06F9BF79
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F91C705_2_06F91C70
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F98AB15_2_06F98AB1
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9DA685_2_06F9DA68
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9DA585_2_06F9DA58
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F98B635_2_06F98B63
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_06F9BB505_2_06F9BB50
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_0B0E1B585_2_0B0E1B58
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00EBD3048_2_00EBD304
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA33FC8_2_06CA33FC
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA00408_2_06CA0040
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA50208_2_06CA5020
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA8AC08_2_06CA8AC0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CAD6218_2_06CAD621
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CAD6308_2_06CAD630
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CAB7088_2_06CAB708
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CAB7188_2_06CAB718
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA25788_2_06CA2578
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA52A28_2_06CA52A2
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA52B08_2_06CA52B0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA20B88_2_06CA20B8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA50128_2_06CA5012
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA00218_2_06CA0021
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA00278_2_06CA0027
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA2E288_2_06CA2E28
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CABF888_2_06CABF88
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA6F408_2_06CA6F40
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CABF798_2_06CABF79
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA1C808_2_06CA1C80
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA1C708_2_06CA1C70
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA8AB18_2_06CA8AB1
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CADA588_2_06CADA58
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CADA688_2_06CADA68
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CABB418_2_06CABB41
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CABB508_2_06CABB50
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_06CA8B638_2_06CA8B63
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_07111B588_2_07111B58
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0319D30412_2_0319D304
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E340412_2_075E3404
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E004012_2_075E0040
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E8AC012_2_075E8AC0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EB71812_2_075EB718
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075ED63012_2_075ED630
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075ED62112_2_075ED621
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E257812_2_075E2578
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E52B012_2_075E52B0
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E52A312_2_075E52A3
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E501312_2_075E5013
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E000612_2_075E0006
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E502012_2_075E5020
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E20B812_2_075E20B8
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EBF7912_2_075EBF79
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EBF8812_2_075EBF88
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E2E2812_2_075E2E28
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E1C7012_2_075E1C70
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E1C8012_2_075E1C80
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EBB5012_2_075EBB50
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E8B6312_2_075E8B63
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EDA5812_2_075EDA58
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075EDA6812_2_075EDA68
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_075E8AB112_2_075E8AB1
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0EDB1C5812_2_0EDB1C58
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: String function: 00434E10 appears 54 times
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: String function: 00434770 appears 41 times
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: String function: 00401E65 appears 34 times
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1720319477.000000000147E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000000.1687885828.0000000001040000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesdmQ.exe> vs Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1729700880.000000000C440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeBinary or memory string: OriginalFilenamesdmQ.exe> vs Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Adobe.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.AddAccessRule
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.SetAccessControl
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.AddAccessRule
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.SetAccessControl
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, GbJsxY5dMfUyIJFP38.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, ssWigPMrLM0nBkmnNx.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/4@0/1
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00417952
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,2_2_0040F474
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,2_2_0041B4A8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AA4A
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.logJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
                Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeReversingLabs: Detection: 68%
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile read: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dll
                Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: sdmQ.pdbSHA256X source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.dr
                Source: Binary string: sdmQ.pdb source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, formMain.cs.Net Code: InitializeComponent
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4300b90.1.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, ssWigPMrLM0nBkmnNx.cs.Net Code: KocTLp4ESCTIalH6SDh System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, ssWigPMrLM0nBkmnNx.cs.Net Code: KocTLp4ESCTIalH6SDh System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.7cc0000.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, ssWigPMrLM0nBkmnNx.cs.Net Code: KocTLp4ESCTIalH6SDh System.Reflection.Assembly.Load(byte[])
                Source: Adobe.exe.2.dr, formMain.cs.Net Code: InitializeComponent
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, ssWigPMrLM0nBkmnNx.cs.Net Code: KocTLp4ESCTIalH6SDh System.Reflection.Assembly.Load(byte[])
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, ssWigPMrLM0nBkmnNx.cs.Net Code: KocTLp4ESCTIalH6SDh System.Reflection.Assembly.Load(byte[])
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: 0xC382600C [Sun Dec 10 03:16:28 2073 UTC]
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CB50
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_05939738 push eax; mov dword ptr [esp], ecx0_2_0593973C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_0752562F push eax; ret 0_2_0752563D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 0_2_07F034F0 push cs; ret 0_2_07F0349E
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00457106 push ecx; ret 2_2_00457119
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0045B11A push esp; ret 2_2_0045B141
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00457A28 push eax; ret 2_2_00457A46
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00434E56 push ecx; ret 2_2_00434E69
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_077113E7 push 0000005Dh; ret 3_2_077113FA
                Source: C:\ProgramData\Adobe\Adobe.exeCode function: 3_2_09463807 push 5DE58B90h; ret 3_2_0946387B
                Source: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeStatic PE information: section name: .text entropy: 7.963915363078747
                Source: Adobe.exe.2.drStatic PE information: section name: .text entropy: 7.963915363078747
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, S1GosBhPNx6MgT985B.csHigh entropy of concatenated method names: 'P6XVOoO7XC', 'eseVY2Nf5g', 'T5f6TMc2G9', 'XvX6STEyoO', 'ySTVFD900N', 'Ft0VDpFLiL', 'ow7VcTqy34', 'CZBV9gC0kv', 'j4QVukv4HC', 'L4DVytLD7T'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, GbJsxY5dMfUyIJFP38.csHigh entropy of concatenated method names: 'wtgW9s0syr', 'STSWuUeDoM', 'pwkWyy4ttQ', 'UXVWrOlBGC', 'dCZWXu4VP1', 'p7cWha6EKd', 'sM0W8XHWID', 'RXRWOLP5SY', 'ghqW05OZQO', 'W1fWYkrQBA'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, xL4OQrtXpwi0nC7uwr.csHigh entropy of concatenated method names: 'eSMgqOw4y5', 'NVKgfFWNLf', 'A8VgnquLcV', 'aaHgmogdrW', 'VPRgC45Fw3', 'M3kg49NqJC', 'tFegUXHByA', 'Xilg5NrmkW', 'C9TgQj5WVI', 'gPegJkF2Xm'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, TWYvnFQGxfCKTtpWxX.csHigh entropy of concatenated method names: 'gelsmX2nKb', 'uh4s416Bfp', 'jgds5GGKA2', 'G0QsQ45FZr', 'gaIsZTR955', 'PxjsK1l6F4', 'Go4sVCJ24w', 'p1Ks6XA4eL', 'eC3s1NPWwW', 'EqfsRZ9sxp'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, igmxDBjeJ9QtEqiD5m.csHigh entropy of concatenated method names: 'NN3gBYwxhs', 'fgcgsDDFdB', 'tA0gIvM2RB', 'H9WIYIIhHa', 'eg7IzXdnPt', 'mshgTKrfmI', 'l18gSfK7nc', 'yaVgHcLTQT', 'l6cgaxUjZG', 'gnXg7EeGVx'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, RHMAlvWJLeDEVKu79s.csHigh entropy of concatenated method names: 'Dispose', 'cclS0Q2JM9', 'JOrHp2ACEm', 'kjFkkNRg9J', 'bU1SY3UuVi', 'wRFSzhB1E0', 'ProcessDialogKey', 'wJwHTZ8yF8', 'bT2HSNbBUh', 'kgqHHZSAn3'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, Wwdw2E7f9OleJXalp4.csHigh entropy of concatenated method names: 'XtpSgbJsxY', 'nMfSMUyIJF', 'OGxSPfCKTt', 'HWxSdXRx42', 'abUSZYJ5DS', 'w45SKwjcMZ', 'tvhp07RN5rL7BhRKHX', 'KsCOuoZqaPdMoAayIL', 'z3GSSukPX2', 'JWQSaabLbX'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, j58B10ST1Nt3fUR9y45.csHigh entropy of concatenated method names: 'lAL1qLDluG', 'YxV1fU5upO', 'pIw1n6Zch9', 'sGb1meyoYd', 'OMb1C1NDh2', 'mwC14DvNTn', 'f8J1UrPPW6', 'ihl157Bwtl', 'R6F1QGsBtG', 'BxZ1JhGP9R'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, Voiil0ytJCWS7qCqtD.csHigh entropy of concatenated method names: 'ToString', 'M6nKFZwgOe', 'BGmKp4eqrk', 'sD6K2vVbBg', 'kBEK3ZEqxU', 'VwtKl8EtQ7', 'kqtKkDXhN8', 'cyVKjt6fkT', 'wcvKGwpb3J', 'r9TKt48Urd'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, tvyiX5pC08stLawmPf.csHigh entropy of concatenated method names: 'y6EAq0Kvxi0RdeyktOG', 'GEEHXlK3rFbZMjh7YZD', 'JmeI6VI6aS', 'e5eI12Yl8e', 'Y1HIRcpAJR', 'bDt4rdK0OFaVClQtuEl', 'cLOACpKPybE9S7PC8yA', 'ilnYoeK85t8p209U0kc'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, ssWigPMrLM0nBkmnNx.csHigh entropy of concatenated method names: 'WruaxpFQxt', 'mfpaBlnRub', 'wH8aWcuhLG', 'qsQasmbk0M', 'g8raAl2lHg', 'EgRaI3YAco', 'GICagonZj0', 'GJHaMB4huk', 'WyKabX1l61', 'i10aPrqCgj'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, oSAn3SYnIUlkNZXE7d.csHigh entropy of concatenated method names: 'BHq1SfnrQ1', 'sIQ1a0NQWX', 'UM017TELtT', 'reX1BFHHQs', 'U1W1WV8ckt', 'IwT1AIbHEG', 'NsU1I8JQOJ', 'h6b68FaWl2', 'LBC6ObChvV', 'gFq60J3tuw'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, C13UuVOivRFhB1E0vJ.csHigh entropy of concatenated method names: 'z1Q6BY7JyE', 'DF46WmZk2U', 'O1G6sd2GqM', 'lt36AMbVr9', 'zkL6IpDtVA', 'b7J6gmQXAu', 'r2Y6M8b26k', 'PqR6b4dhlG', 'uuG6P2kR8F', 'kG56diJNLP'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, curQ5tcZqSHS2g54t7.csHigh entropy of concatenated method names: 'FRlw5lOldR', 'vQEwQCo7y5', 'whWwNUNVBR', 'UlJwpaB0YI', 'zJcw3p7SFu', 'zQqwl0l4OY', 'JtnwjucjFr', 'zpNwGJEoN9', 'b63wo4wck7', 'sktwFOHsT5'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, poSZVvSar0ZVrO0l8yw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zuuR9StLib', 'suSRuwcPw2', 'QfDRydHftH', 'YvNRrpXS00', 'DMrRXnthpD', 'gtERhQgYhK', 'nUsR83Nimo'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, DDSv45NwjcMZUHIfZ2.csHigh entropy of concatenated method names: 'iVKIxY9VEy', 'KEPIWTb9dH', 'nSoIAx9aUP', 'Xr2IggLgiS', 'MIaIMlcfAe', 'F1mAXuxBjZ', 'ystAhiHIlJ', 'bM1A8aWuaO', 'tIOAO478u9', 'qWPA0ZSxj2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, qQCSTLrPa7o5ABnKC4.csHigh entropy of concatenated method names: 'iH5VPkua7L', 'DGDVd9fOiS', 'ToString', 'xjIVBORsqJ', 'A0aVW4TInQ', 'fd7VsH8CkX', 'MFJVAMBbqS', 'kGoVI6YN9h', 'BhsVgHpriV', 'cT8VM0ja4s'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, yc7dFuHBposchOPOgP.csHigh entropy of concatenated method names: 'AUenMEQyO', 'RHqmurGjj', 'P7K4wdZsh', 'SKjUD6Co2', 'cynQTiK9L', 'VqCJvZOVo', 'ouDVidfIc5ZFB9XiZp', 'skmJ7Yb0MNTMNA6kcM', 'nrF6WWQY7', 'yFXRlbYh2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, nZ8yF80HT2NbBUhMgq.csHigh entropy of concatenated method names: 'Oun6NBaeuQ', 'L3V6peTFTB', 'odt62dfwIM', 'x5l63r4P1k', 'YuM69ytEMU', 'F6h6l2SDgh', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, i9B8in9uoIrFBxEgLh.csHigh entropy of concatenated method names: 'CF7Zoj1IPF', 'BAFZD6Ff0k', 'rbnZ9Tytm1', 'PHDZuU00SQ', 'DLdZpnmose', 'uHiZ2pkuGf', 'pmOZ3wVwrP', 'aurZlHDEY3', 'tHRZkWihdL', 'JhuZjMlW0o'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, S1GosBhPNx6MgT985B.csHigh entropy of concatenated method names: 'P6XVOoO7XC', 'eseVY2Nf5g', 'T5f6TMc2G9', 'XvX6STEyoO', 'ySTVFD900N', 'Ft0VDpFLiL', 'ow7VcTqy34', 'CZBV9gC0kv', 'j4QVukv4HC', 'L4DVytLD7T'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, GbJsxY5dMfUyIJFP38.csHigh entropy of concatenated method names: 'wtgW9s0syr', 'STSWuUeDoM', 'pwkWyy4ttQ', 'UXVWrOlBGC', 'dCZWXu4VP1', 'p7cWha6EKd', 'sM0W8XHWID', 'RXRWOLP5SY', 'ghqW05OZQO', 'W1fWYkrQBA'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, xL4OQrtXpwi0nC7uwr.csHigh entropy of concatenated method names: 'eSMgqOw4y5', 'NVKgfFWNLf', 'A8VgnquLcV', 'aaHgmogdrW', 'VPRgC45Fw3', 'M3kg49NqJC', 'tFegUXHByA', 'Xilg5NrmkW', 'C9TgQj5WVI', 'gPegJkF2Xm'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, TWYvnFQGxfCKTtpWxX.csHigh entropy of concatenated method names: 'gelsmX2nKb', 'uh4s416Bfp', 'jgds5GGKA2', 'G0QsQ45FZr', 'gaIsZTR955', 'PxjsK1l6F4', 'Go4sVCJ24w', 'p1Ks6XA4eL', 'eC3s1NPWwW', 'EqfsRZ9sxp'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, igmxDBjeJ9QtEqiD5m.csHigh entropy of concatenated method names: 'NN3gBYwxhs', 'fgcgsDDFdB', 'tA0gIvM2RB', 'H9WIYIIhHa', 'eg7IzXdnPt', 'mshgTKrfmI', 'l18gSfK7nc', 'yaVgHcLTQT', 'l6cgaxUjZG', 'gnXg7EeGVx'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, RHMAlvWJLeDEVKu79s.csHigh entropy of concatenated method names: 'Dispose', 'cclS0Q2JM9', 'JOrHp2ACEm', 'kjFkkNRg9J', 'bU1SY3UuVi', 'wRFSzhB1E0', 'ProcessDialogKey', 'wJwHTZ8yF8', 'bT2HSNbBUh', 'kgqHHZSAn3'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, Wwdw2E7f9OleJXalp4.csHigh entropy of concatenated method names: 'XtpSgbJsxY', 'nMfSMUyIJF', 'OGxSPfCKTt', 'HWxSdXRx42', 'abUSZYJ5DS', 'w45SKwjcMZ', 'tvhp07RN5rL7BhRKHX', 'KsCOuoZqaPdMoAayIL', 'z3GSSukPX2', 'JWQSaabLbX'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, j58B10ST1Nt3fUR9y45.csHigh entropy of concatenated method names: 'lAL1qLDluG', 'YxV1fU5upO', 'pIw1n6Zch9', 'sGb1meyoYd', 'OMb1C1NDh2', 'mwC14DvNTn', 'f8J1UrPPW6', 'ihl157Bwtl', 'R6F1QGsBtG', 'BxZ1JhGP9R'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, Voiil0ytJCWS7qCqtD.csHigh entropy of concatenated method names: 'ToString', 'M6nKFZwgOe', 'BGmKp4eqrk', 'sD6K2vVbBg', 'kBEK3ZEqxU', 'VwtKl8EtQ7', 'kqtKkDXhN8', 'cyVKjt6fkT', 'wcvKGwpb3J', 'r9TKt48Urd'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, tvyiX5pC08stLawmPf.csHigh entropy of concatenated method names: 'y6EAq0Kvxi0RdeyktOG', 'GEEHXlK3rFbZMjh7YZD', 'JmeI6VI6aS', 'e5eI12Yl8e', 'Y1HIRcpAJR', 'bDt4rdK0OFaVClQtuEl', 'cLOACpKPybE9S7PC8yA', 'ilnYoeK85t8p209U0kc'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, ssWigPMrLM0nBkmnNx.csHigh entropy of concatenated method names: 'WruaxpFQxt', 'mfpaBlnRub', 'wH8aWcuhLG', 'qsQasmbk0M', 'g8raAl2lHg', 'EgRaI3YAco', 'GICagonZj0', 'GJHaMB4huk', 'WyKabX1l61', 'i10aPrqCgj'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, oSAn3SYnIUlkNZXE7d.csHigh entropy of concatenated method names: 'BHq1SfnrQ1', 'sIQ1a0NQWX', 'UM017TELtT', 'reX1BFHHQs', 'U1W1WV8ckt', 'IwT1AIbHEG', 'NsU1I8JQOJ', 'h6b68FaWl2', 'LBC6ObChvV', 'gFq60J3tuw'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, C13UuVOivRFhB1E0vJ.csHigh entropy of concatenated method names: 'z1Q6BY7JyE', 'DF46WmZk2U', 'O1G6sd2GqM', 'lt36AMbVr9', 'zkL6IpDtVA', 'b7J6gmQXAu', 'r2Y6M8b26k', 'PqR6b4dhlG', 'uuG6P2kR8F', 'kG56diJNLP'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, curQ5tcZqSHS2g54t7.csHigh entropy of concatenated method names: 'FRlw5lOldR', 'vQEwQCo7y5', 'whWwNUNVBR', 'UlJwpaB0YI', 'zJcw3p7SFu', 'zQqwl0l4OY', 'JtnwjucjFr', 'zpNwGJEoN9', 'b63wo4wck7', 'sktwFOHsT5'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, poSZVvSar0ZVrO0l8yw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zuuR9StLib', 'suSRuwcPw2', 'QfDRydHftH', 'YvNRrpXS00', 'DMrRXnthpD', 'gtERhQgYhK', 'nUsR83Nimo'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, DDSv45NwjcMZUHIfZ2.csHigh entropy of concatenated method names: 'iVKIxY9VEy', 'KEPIWTb9dH', 'nSoIAx9aUP', 'Xr2IggLgiS', 'MIaIMlcfAe', 'F1mAXuxBjZ', 'ystAhiHIlJ', 'bM1A8aWuaO', 'tIOAO478u9', 'qWPA0ZSxj2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, qQCSTLrPa7o5ABnKC4.csHigh entropy of concatenated method names: 'iH5VPkua7L', 'DGDVd9fOiS', 'ToString', 'xjIVBORsqJ', 'A0aVW4TInQ', 'fd7VsH8CkX', 'MFJVAMBbqS', 'kGoVI6YN9h', 'BhsVgHpriV', 'cT8VM0ja4s'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, yc7dFuHBposchOPOgP.csHigh entropy of concatenated method names: 'AUenMEQyO', 'RHqmurGjj', 'P7K4wdZsh', 'SKjUD6Co2', 'cynQTiK9L', 'VqCJvZOVo', 'ouDVidfIc5ZFB9XiZp', 'skmJ7Yb0MNTMNA6kcM', 'nrF6WWQY7', 'yFXRlbYh2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, nZ8yF80HT2NbBUhMgq.csHigh entropy of concatenated method names: 'Oun6NBaeuQ', 'L3V6peTFTB', 'odt62dfwIM', 'x5l63r4P1k', 'YuM69ytEMU', 'F6h6l2SDgh', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.c440000.5.raw.unpack, i9B8in9uoIrFBxEgLh.csHigh entropy of concatenated method names: 'CF7Zoj1IPF', 'BAFZD6Ff0k', 'rbnZ9Tytm1', 'PHDZuU00SQ', 'DLdZpnmose', 'uHiZ2pkuGf', 'pmOZ3wVwrP', 'aurZlHDEY3', 'tHRZkWihdL', 'JhuZjMlW0o'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, S1GosBhPNx6MgT985B.csHigh entropy of concatenated method names: 'P6XVOoO7XC', 'eseVY2Nf5g', 'T5f6TMc2G9', 'XvX6STEyoO', 'ySTVFD900N', 'Ft0VDpFLiL', 'ow7VcTqy34', 'CZBV9gC0kv', 'j4QVukv4HC', 'L4DVytLD7T'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, GbJsxY5dMfUyIJFP38.csHigh entropy of concatenated method names: 'wtgW9s0syr', 'STSWuUeDoM', 'pwkWyy4ttQ', 'UXVWrOlBGC', 'dCZWXu4VP1', 'p7cWha6EKd', 'sM0W8XHWID', 'RXRWOLP5SY', 'ghqW05OZQO', 'W1fWYkrQBA'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, xL4OQrtXpwi0nC7uwr.csHigh entropy of concatenated method names: 'eSMgqOw4y5', 'NVKgfFWNLf', 'A8VgnquLcV', 'aaHgmogdrW', 'VPRgC45Fw3', 'M3kg49NqJC', 'tFegUXHByA', 'Xilg5NrmkW', 'C9TgQj5WVI', 'gPegJkF2Xm'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, TWYvnFQGxfCKTtpWxX.csHigh entropy of concatenated method names: 'gelsmX2nKb', 'uh4s416Bfp', 'jgds5GGKA2', 'G0QsQ45FZr', 'gaIsZTR955', 'PxjsK1l6F4', 'Go4sVCJ24w', 'p1Ks6XA4eL', 'eC3s1NPWwW', 'EqfsRZ9sxp'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, igmxDBjeJ9QtEqiD5m.csHigh entropy of concatenated method names: 'NN3gBYwxhs', 'fgcgsDDFdB', 'tA0gIvM2RB', 'H9WIYIIhHa', 'eg7IzXdnPt', 'mshgTKrfmI', 'l18gSfK7nc', 'yaVgHcLTQT', 'l6cgaxUjZG', 'gnXg7EeGVx'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, RHMAlvWJLeDEVKu79s.csHigh entropy of concatenated method names: 'Dispose', 'cclS0Q2JM9', 'JOrHp2ACEm', 'kjFkkNRg9J', 'bU1SY3UuVi', 'wRFSzhB1E0', 'ProcessDialogKey', 'wJwHTZ8yF8', 'bT2HSNbBUh', 'kgqHHZSAn3'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, Wwdw2E7f9OleJXalp4.csHigh entropy of concatenated method names: 'XtpSgbJsxY', 'nMfSMUyIJF', 'OGxSPfCKTt', 'HWxSdXRx42', 'abUSZYJ5DS', 'w45SKwjcMZ', 'tvhp07RN5rL7BhRKHX', 'KsCOuoZqaPdMoAayIL', 'z3GSSukPX2', 'JWQSaabLbX'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, j58B10ST1Nt3fUR9y45.csHigh entropy of concatenated method names: 'lAL1qLDluG', 'YxV1fU5upO', 'pIw1n6Zch9', 'sGb1meyoYd', 'OMb1C1NDh2', 'mwC14DvNTn', 'f8J1UrPPW6', 'ihl157Bwtl', 'R6F1QGsBtG', 'BxZ1JhGP9R'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, Voiil0ytJCWS7qCqtD.csHigh entropy of concatenated method names: 'ToString', 'M6nKFZwgOe', 'BGmKp4eqrk', 'sD6K2vVbBg', 'kBEK3ZEqxU', 'VwtKl8EtQ7', 'kqtKkDXhN8', 'cyVKjt6fkT', 'wcvKGwpb3J', 'r9TKt48Urd'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, tvyiX5pC08stLawmPf.csHigh entropy of concatenated method names: 'y6EAq0Kvxi0RdeyktOG', 'GEEHXlK3rFbZMjh7YZD', 'JmeI6VI6aS', 'e5eI12Yl8e', 'Y1HIRcpAJR', 'bDt4rdK0OFaVClQtuEl', 'cLOACpKPybE9S7PC8yA', 'ilnYoeK85t8p209U0kc'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, ssWigPMrLM0nBkmnNx.csHigh entropy of concatenated method names: 'WruaxpFQxt', 'mfpaBlnRub', 'wH8aWcuhLG', 'qsQasmbk0M', 'g8raAl2lHg', 'EgRaI3YAco', 'GICagonZj0', 'GJHaMB4huk', 'WyKabX1l61', 'i10aPrqCgj'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, oSAn3SYnIUlkNZXE7d.csHigh entropy of concatenated method names: 'BHq1SfnrQ1', 'sIQ1a0NQWX', 'UM017TELtT', 'reX1BFHHQs', 'U1W1WV8ckt', 'IwT1AIbHEG', 'NsU1I8JQOJ', 'h6b68FaWl2', 'LBC6ObChvV', 'gFq60J3tuw'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, C13UuVOivRFhB1E0vJ.csHigh entropy of concatenated method names: 'z1Q6BY7JyE', 'DF46WmZk2U', 'O1G6sd2GqM', 'lt36AMbVr9', 'zkL6IpDtVA', 'b7J6gmQXAu', 'r2Y6M8b26k', 'PqR6b4dhlG', 'uuG6P2kR8F', 'kG56diJNLP'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, curQ5tcZqSHS2g54t7.csHigh entropy of concatenated method names: 'FRlw5lOldR', 'vQEwQCo7y5', 'whWwNUNVBR', 'UlJwpaB0YI', 'zJcw3p7SFu', 'zQqwl0l4OY', 'JtnwjucjFr', 'zpNwGJEoN9', 'b63wo4wck7', 'sktwFOHsT5'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, poSZVvSar0ZVrO0l8yw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zuuR9StLib', 'suSRuwcPw2', 'QfDRydHftH', 'YvNRrpXS00', 'DMrRXnthpD', 'gtERhQgYhK', 'nUsR83Nimo'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, DDSv45NwjcMZUHIfZ2.csHigh entropy of concatenated method names: 'iVKIxY9VEy', 'KEPIWTb9dH', 'nSoIAx9aUP', 'Xr2IggLgiS', 'MIaIMlcfAe', 'F1mAXuxBjZ', 'ystAhiHIlJ', 'bM1A8aWuaO', 'tIOAO478u9', 'qWPA0ZSxj2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, qQCSTLrPa7o5ABnKC4.csHigh entropy of concatenated method names: 'iH5VPkua7L', 'DGDVd9fOiS', 'ToString', 'xjIVBORsqJ', 'A0aVW4TInQ', 'fd7VsH8CkX', 'MFJVAMBbqS', 'kGoVI6YN9h', 'BhsVgHpriV', 'cT8VM0ja4s'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, yc7dFuHBposchOPOgP.csHigh entropy of concatenated method names: 'AUenMEQyO', 'RHqmurGjj', 'P7K4wdZsh', 'SKjUD6Co2', 'cynQTiK9L', 'VqCJvZOVo', 'ouDVidfIc5ZFB9XiZp', 'skmJ7Yb0MNTMNA6kcM', 'nrF6WWQY7', 'yFXRlbYh2'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, nZ8yF80HT2NbBUhMgq.csHigh entropy of concatenated method names: 'Oun6NBaeuQ', 'L3V6peTFTB', 'odt62dfwIM', 'x5l63r4P1k', 'YuM69ytEMU', 'F6h6l2SDgh', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, i9B8in9uoIrFBxEgLh.csHigh entropy of concatenated method names: 'CF7Zoj1IPF', 'BAFZD6Ff0k', 'rbnZ9Tytm1', 'PHDZuU00SQ', 'DLdZpnmose', 'uHiZ2pkuGf', 'pmOZ3wVwrP', 'aurZlHDEY3', 'tHRZkWihdL', 'JhuZjMlW0o'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, S1GosBhPNx6MgT985B.csHigh entropy of concatenated method names: 'P6XVOoO7XC', 'eseVY2Nf5g', 'T5f6TMc2G9', 'XvX6STEyoO', 'ySTVFD900N', 'Ft0VDpFLiL', 'ow7VcTqy34', 'CZBV9gC0kv', 'j4QVukv4HC', 'L4DVytLD7T'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, GbJsxY5dMfUyIJFP38.csHigh entropy of concatenated method names: 'wtgW9s0syr', 'STSWuUeDoM', 'pwkWyy4ttQ', 'UXVWrOlBGC', 'dCZWXu4VP1', 'p7cWha6EKd', 'sM0W8XHWID', 'RXRWOLP5SY', 'ghqW05OZQO', 'W1fWYkrQBA'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, xL4OQrtXpwi0nC7uwr.csHigh entropy of concatenated method names: 'eSMgqOw4y5', 'NVKgfFWNLf', 'A8VgnquLcV', 'aaHgmogdrW', 'VPRgC45Fw3', 'M3kg49NqJC', 'tFegUXHByA', 'Xilg5NrmkW', 'C9TgQj5WVI', 'gPegJkF2Xm'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, TWYvnFQGxfCKTtpWxX.csHigh entropy of concatenated method names: 'gelsmX2nKb', 'uh4s416Bfp', 'jgds5GGKA2', 'G0QsQ45FZr', 'gaIsZTR955', 'PxjsK1l6F4', 'Go4sVCJ24w', 'p1Ks6XA4eL', 'eC3s1NPWwW', 'EqfsRZ9sxp'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, igmxDBjeJ9QtEqiD5m.csHigh entropy of concatenated method names: 'NN3gBYwxhs', 'fgcgsDDFdB', 'tA0gIvM2RB', 'H9WIYIIhHa', 'eg7IzXdnPt', 'mshgTKrfmI', 'l18gSfK7nc', 'yaVgHcLTQT', 'l6cgaxUjZG', 'gnXg7EeGVx'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, RHMAlvWJLeDEVKu79s.csHigh entropy of concatenated method names: 'Dispose', 'cclS0Q2JM9', 'JOrHp2ACEm', 'kjFkkNRg9J', 'bU1SY3UuVi', 'wRFSzhB1E0', 'ProcessDialogKey', 'wJwHTZ8yF8', 'bT2HSNbBUh', 'kgqHHZSAn3'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, Wwdw2E7f9OleJXalp4.csHigh entropy of concatenated method names: 'XtpSgbJsxY', 'nMfSMUyIJF', 'OGxSPfCKTt', 'HWxSdXRx42', 'abUSZYJ5DS', 'w45SKwjcMZ', 'tvhp07RN5rL7BhRKHX', 'KsCOuoZqaPdMoAayIL', 'z3GSSukPX2', 'JWQSaabLbX'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, j58B10ST1Nt3fUR9y45.csHigh entropy of concatenated method names: 'lAL1qLDluG', 'YxV1fU5upO', 'pIw1n6Zch9', 'sGb1meyoYd', 'OMb1C1NDh2', 'mwC14DvNTn', 'f8J1UrPPW6', 'ihl157Bwtl', 'R6F1QGsBtG', 'BxZ1JhGP9R'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, Voiil0ytJCWS7qCqtD.csHigh entropy of concatenated method names: 'ToString', 'M6nKFZwgOe', 'BGmKp4eqrk', 'sD6K2vVbBg', 'kBEK3ZEqxU', 'VwtKl8EtQ7', 'kqtKkDXhN8', 'cyVKjt6fkT', 'wcvKGwpb3J', 'r9TKt48Urd'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, tvyiX5pC08stLawmPf.csHigh entropy of concatenated method names: 'y6EAq0Kvxi0RdeyktOG', 'GEEHXlK3rFbZMjh7YZD', 'JmeI6VI6aS', 'e5eI12Yl8e', 'Y1HIRcpAJR', 'bDt4rdK0OFaVClQtuEl', 'cLOACpKPybE9S7PC8yA', 'ilnYoeK85t8p209U0kc'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, ssWigPMrLM0nBkmnNx.csHigh entropy of concatenated method names: 'WruaxpFQxt', 'mfpaBlnRub', 'wH8aWcuhLG', 'qsQasmbk0M', 'g8raAl2lHg', 'EgRaI3YAco', 'GICagonZj0', 'GJHaMB4huk', 'WyKabX1l61', 'i10aPrqCgj'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, oSAn3SYnIUlkNZXE7d.csHigh entropy of concatenated method names: 'BHq1SfnrQ1', 'sIQ1a0NQWX', 'UM017TELtT', 'reX1BFHHQs', 'U1W1WV8ckt', 'IwT1AIbHEG', 'NsU1I8JQOJ', 'h6b68FaWl2', 'LBC6ObChvV', 'gFq60J3tuw'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, C13UuVOivRFhB1E0vJ.csHigh entropy of concatenated method names: 'z1Q6BY7JyE', 'DF46WmZk2U', 'O1G6sd2GqM', 'lt36AMbVr9', 'zkL6IpDtVA', 'b7J6gmQXAu', 'r2Y6M8b26k', 'PqR6b4dhlG', 'uuG6P2kR8F', 'kG56diJNLP'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, curQ5tcZqSHS2g54t7.csHigh entropy of concatenated method names: 'FRlw5lOldR', 'vQEwQCo7y5', 'whWwNUNVBR', 'UlJwpaB0YI', 'zJcw3p7SFu', 'zQqwl0l4OY', 'JtnwjucjFr', 'zpNwGJEoN9', 'b63wo4wck7', 'sktwFOHsT5'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, poSZVvSar0ZVrO0l8yw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zuuR9StLib', 'suSRuwcPw2', 'QfDRydHftH', 'YvNRrpXS00', 'DMrRXnthpD', 'gtERhQgYhK', 'nUsR83Nimo'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, DDSv45NwjcMZUHIfZ2.csHigh entropy of concatenated method names: 'iVKIxY9VEy', 'KEPIWTb9dH', 'nSoIAx9aUP', 'Xr2IggLgiS', 'MIaIMlcfAe', 'F1mAXuxBjZ', 'ystAhiHIlJ', 'bM1A8aWuaO', 'tIOAO478u9', 'qWPA0ZSxj2'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, qQCSTLrPa7o5ABnKC4.csHigh entropy of concatenated method names: 'iH5VPkua7L', 'DGDVd9fOiS', 'ToString', 'xjIVBORsqJ', 'A0aVW4TInQ', 'fd7VsH8CkX', 'MFJVAMBbqS', 'kGoVI6YN9h', 'BhsVgHpriV', 'cT8VM0ja4s'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, yc7dFuHBposchOPOgP.csHigh entropy of concatenated method names: 'AUenMEQyO', 'RHqmurGjj', 'P7K4wdZsh', 'SKjUD6Co2', 'cynQTiK9L', 'VqCJvZOVo', 'ouDVidfIc5ZFB9XiZp', 'skmJ7Yb0MNTMNA6kcM', 'nrF6WWQY7', 'yFXRlbYh2'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, nZ8yF80HT2NbBUhMgq.csHigh entropy of concatenated method names: 'Oun6NBaeuQ', 'L3V6peTFTB', 'odt62dfwIM', 'x5l63r4P1k', 'YuM69ytEMU', 'F6h6l2SDgh', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, i9B8in9uoIrFBxEgLh.csHigh entropy of concatenated method names: 'CF7Zoj1IPF', 'BAFZD6Ff0k', 'rbnZ9Tytm1', 'PHDZuU00SQ', 'DLdZpnmose', 'uHiZ2pkuGf', 'pmOZ3wVwrP', 'aurZlHDEY3', 'tHRZkWihdL', 'JhuZjMlW0o'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, S1GosBhPNx6MgT985B.csHigh entropy of concatenated method names: 'P6XVOoO7XC', 'eseVY2Nf5g', 'T5f6TMc2G9', 'XvX6STEyoO', 'ySTVFD900N', 'Ft0VDpFLiL', 'ow7VcTqy34', 'CZBV9gC0kv', 'j4QVukv4HC', 'L4DVytLD7T'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, GbJsxY5dMfUyIJFP38.csHigh entropy of concatenated method names: 'wtgW9s0syr', 'STSWuUeDoM', 'pwkWyy4ttQ', 'UXVWrOlBGC', 'dCZWXu4VP1', 'p7cWha6EKd', 'sM0W8XHWID', 'RXRWOLP5SY', 'ghqW05OZQO', 'W1fWYkrQBA'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, xL4OQrtXpwi0nC7uwr.csHigh entropy of concatenated method names: 'eSMgqOw4y5', 'NVKgfFWNLf', 'A8VgnquLcV', 'aaHgmogdrW', 'VPRgC45Fw3', 'M3kg49NqJC', 'tFegUXHByA', 'Xilg5NrmkW', 'C9TgQj5WVI', 'gPegJkF2Xm'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, TWYvnFQGxfCKTtpWxX.csHigh entropy of concatenated method names: 'gelsmX2nKb', 'uh4s416Bfp', 'jgds5GGKA2', 'G0QsQ45FZr', 'gaIsZTR955', 'PxjsK1l6F4', 'Go4sVCJ24w', 'p1Ks6XA4eL', 'eC3s1NPWwW', 'EqfsRZ9sxp'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, igmxDBjeJ9QtEqiD5m.csHigh entropy of concatenated method names: 'NN3gBYwxhs', 'fgcgsDDFdB', 'tA0gIvM2RB', 'H9WIYIIhHa', 'eg7IzXdnPt', 'mshgTKrfmI', 'l18gSfK7nc', 'yaVgHcLTQT', 'l6cgaxUjZG', 'gnXg7EeGVx'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, RHMAlvWJLeDEVKu79s.csHigh entropy of concatenated method names: 'Dispose', 'cclS0Q2JM9', 'JOrHp2ACEm', 'kjFkkNRg9J', 'bU1SY3UuVi', 'wRFSzhB1E0', 'ProcessDialogKey', 'wJwHTZ8yF8', 'bT2HSNbBUh', 'kgqHHZSAn3'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, Wwdw2E7f9OleJXalp4.csHigh entropy of concatenated method names: 'XtpSgbJsxY', 'nMfSMUyIJF', 'OGxSPfCKTt', 'HWxSdXRx42', 'abUSZYJ5DS', 'w45SKwjcMZ', 'tvhp07RN5rL7BhRKHX', 'KsCOuoZqaPdMoAayIL', 'z3GSSukPX2', 'JWQSaabLbX'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, j58B10ST1Nt3fUR9y45.csHigh entropy of concatenated method names: 'lAL1qLDluG', 'YxV1fU5upO', 'pIw1n6Zch9', 'sGb1meyoYd', 'OMb1C1NDh2', 'mwC14DvNTn', 'f8J1UrPPW6', 'ihl157Bwtl', 'R6F1QGsBtG', 'BxZ1JhGP9R'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, Voiil0ytJCWS7qCqtD.csHigh entropy of concatenated method names: 'ToString', 'M6nKFZwgOe', 'BGmKp4eqrk', 'sD6K2vVbBg', 'kBEK3ZEqxU', 'VwtKl8EtQ7', 'kqtKkDXhN8', 'cyVKjt6fkT', 'wcvKGwpb3J', 'r9TKt48Urd'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, tvyiX5pC08stLawmPf.csHigh entropy of concatenated method names: 'y6EAq0Kvxi0RdeyktOG', 'GEEHXlK3rFbZMjh7YZD', 'JmeI6VI6aS', 'e5eI12Yl8e', 'Y1HIRcpAJR', 'bDt4rdK0OFaVClQtuEl', 'cLOACpKPybE9S7PC8yA', 'ilnYoeK85t8p209U0kc'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, ssWigPMrLM0nBkmnNx.csHigh entropy of concatenated method names: 'WruaxpFQxt', 'mfpaBlnRub', 'wH8aWcuhLG', 'qsQasmbk0M', 'g8raAl2lHg', 'EgRaI3YAco', 'GICagonZj0', 'GJHaMB4huk', 'WyKabX1l61', 'i10aPrqCgj'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, oSAn3SYnIUlkNZXE7d.csHigh entropy of concatenated method names: 'BHq1SfnrQ1', 'sIQ1a0NQWX', 'UM017TELtT', 'reX1BFHHQs', 'U1W1WV8ckt', 'IwT1AIbHEG', 'NsU1I8JQOJ', 'h6b68FaWl2', 'LBC6ObChvV', 'gFq60J3tuw'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, C13UuVOivRFhB1E0vJ.csHigh entropy of concatenated method names: 'z1Q6BY7JyE', 'DF46WmZk2U', 'O1G6sd2GqM', 'lt36AMbVr9', 'zkL6IpDtVA', 'b7J6gmQXAu', 'r2Y6M8b26k', 'PqR6b4dhlG', 'uuG6P2kR8F', 'kG56diJNLP'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, curQ5tcZqSHS2g54t7.csHigh entropy of concatenated method names: 'FRlw5lOldR', 'vQEwQCo7y5', 'whWwNUNVBR', 'UlJwpaB0YI', 'zJcw3p7SFu', 'zQqwl0l4OY', 'JtnwjucjFr', 'zpNwGJEoN9', 'b63wo4wck7', 'sktwFOHsT5'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, poSZVvSar0ZVrO0l8yw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zuuR9StLib', 'suSRuwcPw2', 'QfDRydHftH', 'YvNRrpXS00', 'DMrRXnthpD', 'gtERhQgYhK', 'nUsR83Nimo'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, DDSv45NwjcMZUHIfZ2.csHigh entropy of concatenated method names: 'iVKIxY9VEy', 'KEPIWTb9dH', 'nSoIAx9aUP', 'Xr2IggLgiS', 'MIaIMlcfAe', 'F1mAXuxBjZ', 'ystAhiHIlJ', 'bM1A8aWuaO', 'tIOAO478u9', 'qWPA0ZSxj2'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, qQCSTLrPa7o5ABnKC4.csHigh entropy of concatenated method names: 'iH5VPkua7L', 'DGDVd9fOiS', 'ToString', 'xjIVBORsqJ', 'A0aVW4TInQ', 'fd7VsH8CkX', 'MFJVAMBbqS', 'kGoVI6YN9h', 'BhsVgHpriV', 'cT8VM0ja4s'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, yc7dFuHBposchOPOgP.csHigh entropy of concatenated method names: 'AUenMEQyO', 'RHqmurGjj', 'P7K4wdZsh', 'SKjUD6Co2', 'cynQTiK9L', 'VqCJvZOVo', 'ouDVidfIc5ZFB9XiZp', 'skmJ7Yb0MNTMNA6kcM', 'nrF6WWQY7', 'yFXRlbYh2'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, nZ8yF80HT2NbBUhMgq.csHigh entropy of concatenated method names: 'Oun6NBaeuQ', 'L3V6peTFTB', 'odt62dfwIM', 'x5l63r4P1k', 'YuM69ytEMU', 'F6h6l2SDgh', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 3.2.Adobe.exe.4f19130.2.raw.unpack, i9B8in9uoIrFBxEgLh.csHigh entropy of concatenated method names: 'CF7Zoj1IPF', 'BAFZD6Ff0k', 'rbnZ9Tytm1', 'PHDZuU00SQ', 'DLdZpnmose', 'uHiZ2pkuGf', 'pmOZ3wVwrP', 'aurZlHDEY3', 'tHRZkWihdL', 'JhuZjMlW0o'

                Persistence and Installation Behavior

                barindex
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00406EB0 ShellExecuteW,URLDownloadToFileW,2_2_00406EB0
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: \doc089776867565357609 - ever atop v.1319-008w khh-rtm so a268.scr.exe
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: \doc089776867565357609 - ever atop v.1319-008w khh-rtm so a268.scr.exe
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: \doc089776867565357609 - ever atop v.1319-008w khh-rtm so a268.scr.exeJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: \doc089776867565357609 - ever atop v.1319-008w khh-rtm so a268.scr.exeJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious names
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AA4A
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CB50
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040F7A7 Sleep,ExitProcess,2_2_0040F7A7
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: 9830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: A830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: AA40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: BA40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: C500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: D500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: E500000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 33E0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 53E0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 95B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A7C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B7C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: C010000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: D010000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: E010000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4A80000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 87D0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 97D0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A9C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B600000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: C600000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: D600000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 49A0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 88B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 98B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9AB0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: AAB0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B530000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: C530000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: D530000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 32B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9300000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7730000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A300000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B300000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: BD90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: CD90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: DD90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A748
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 6329Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 3654Jump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeEvaded block: after key decisiongraph_2-47044
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeEvaded block: after key decisiongraph_2-47068
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeAPI coverage: 6.4 %
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe TID: 2836Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 5968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 6984Thread sleep count: 6329 > 30Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 6984Thread sleep time: -18987000s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 6984Thread sleep count: 3654 > 30Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 6984Thread sleep time: -10962000s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 5676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 5776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exe TID: 4124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409253
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C291
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C34D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00409665
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_0040880C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040783C FindFirstFileW,FindNextFileW,2_2_0040783C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419AF5
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB30
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD37
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407C97
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Adobe.exe, 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQb
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004349F9
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CB50
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004432B5 mov eax, dword ptr fs:[00000030h]2_2_004432B5
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00412077 GetProcessHeap,HeapFree,2_2_00412077
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004349F9
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00434B47 SetUnhandledExceptionFilter,2_2_00434B47
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB22
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00434FDC
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeMemory written: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00412117
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00419627 mouse_event,2_2_00419627
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe "C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_00434C52 cpuid 2_2_00434C52
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: EnumSystemLocalesW,2_2_00452036
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_004520C3
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoW,2_2_00452313
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: EnumSystemLocalesW,2_2_00448404
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0045243C
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoW,2_2_00452543
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452610
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoA,2_2_0040F8D1
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: GetLocaleInfoW,2_2_004488ED
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451CD8
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: EnumSystemLocalesW,2_2_00451F50
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: EnumSystemLocalesW,2_2_00451F9B
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0040B164 GetLocalTime,wsprintfW,2_2_0040B164
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_0041B60D GetUserNameW,2_2_0041B60D
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: 2_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_004493AD
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713552944.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6380, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2364, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA12
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB30
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: \key3.db2_2_0040BB30

                Remote Access Functionality

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.508e190.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4e47498.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.4726260.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4f018b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4e78c98.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.478e220.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4fedcf8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.Adobe.exe.4fbc4f8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46191c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.46ad640.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4fd3550.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.Adobe.exe.45f2a00.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Adobe.exe.46d35e0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.Adobe.exe.4f19130.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.4f330b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1713552944.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 6196, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 3152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6380, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5480, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 420, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2364, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeCode function: cmd.exe2_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		11
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Windows Service                		12
                Software Packing                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script121
                Process Injection                		1
                Timestomp                		LSA Secrets33
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		Cached Domain Credentials121
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Bypass User Account Control                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Access Token Manipulation                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd121
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542953 Sample: Doc089776867565357609 - EVE... Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 14 other signatures 2->50 8 Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe 3 2->8         started        12 Adobe.exe 2 2->12         started        14 Adobe.exe 2 2->14         started        16 Adobe.exe 2 2->16         started        process3 file4 40 Doc089776867565357...SO A268.scr.exe.log, ASCII 8->40 dropped 56 Injects a PE file into a foreign processes 8->56 18 Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe 2 4 8->18         started        22 Adobe.exe 12->22         started        24 Adobe.exe 12->24         started        26 Adobe.exe 14->26         started        28 Adobe.exe 16->28         started        signatures5 process6 file7 36 C:\ProgramData\Adobe\Adobe.exe, PE32 18->36 dropped 38 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 18->38 dropped 52 Creates autostart registry keys with suspicious names 18->52 54 Drops executable to a common third party application directory 18->54 30 Adobe.exe 3 18->30         started        signatures8 process9 signatures10 58 Multi AV Scanner detection for dropped file 30->58 60 Machine Learning detection for dropped file 30->60 62 Injects a PE file into a foreign processes 30->62 33 Adobe.exe 3 1 30->33         started        process11 dnsIp12 42 104.250.180.178, 49733, 49736, 49743 M247GB United States 33->42

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
                C:\ProgramData\Adobe\Adobe.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.fontbureau.comDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersGDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/bTheDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/DataSet1.xsdDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, Adobe.exe.2.drfalse
                    		unknown
                    http://www.tiro.comDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp/CDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Adobe.exe, 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Adobe.exe, 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comDoc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1726948563.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, 00000000.00000002.1727110911.0000000007562000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.250.180.178
                    		unknownUnited States
                    		9009M247GBtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1542953
                    Start date and time:2024-10-27 00:25:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:16
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@18/4@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 218
                    • Number of non-executed functions: 210
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:25:59API Interceptor1x Sleep call for process: Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe modified
                    18:26:01API Interceptor4936976x Sleep call for process: Adobe.exe modified
                    23:26:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                    23:26:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                    23:26:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.250.180.178PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                      rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                        rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                          ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                            SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exeGet hashmaliciousRemcosBrowse
                              ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                  F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exeGet hashmaliciousXWormBrowse
                                    DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                      6122.scr.exeGet hashmaliciousRemcosBrowse

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        M247GBPACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                        • 104.250.180.178
                                        x86.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        arm5.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        nshmpsl.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        nsharm.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        nsharm5.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        harm5.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        harm4.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        mips.elfGet hashmaliciousUnknownBrowse
                                        • 213.182.204.57
                                        T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                        • 91.202.233.141

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Adobe\Adobe.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):973824
                                        Entropy (8bit):7.958632731616559
                                        Encrypted:false
                                        SSDEEP:12288:/CfiaKJpEBPqhqZELFu0Hy52/aSMlon8NyPtGKN5VV2WJ9oaTXJmBupazmbME:/YitEsFS5+aSmoeyVG+V90OkswzSp
                                        MD5:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        SHA1:22BAC6BED40F58042C26C64F27FA6D1BA62BDF8B
                                        SHA-256:C51201337AF75DF4850B5392117E54EEDFA2F1AC133E891947ECE8102CDDA0D0
                                        SHA-512:2CDB43718DE629E69A93E1AC138747D2550BF2A1A56BC265C19837171067D843A4AED83B6C95D04488B15CBD2A80B07C9F4412E5B787507575E09D333912B909
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 68%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`................0.................. ........@.. .......................@............@.................................E...O.......0.................... ......(...p............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc....... ......................@..B................y.......H........t...i......M...................................................z..}.....(.......(......(.....*..0............{....o....r...p(......,...{....o....(......*...0..]........( .....,R..{....o!....("...o#.....{.....{....o$....("...o%...o&.....{......X.o'......}.....*....0............(......,...((.....*....0..!.........(......,...{....o).....(......*6.r...p(*...&*....{.....(......{....r...po+....*....0..U.........{....,..{.......+....,....(....}......}.....+$.{....,..{....+.

                                        C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                        Download File
                                        Process:C:\ProgramData\Adobe\Adobe.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.958632731616559
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        File size:973'824 bytes
                                        MD5:cdb36d7e12b4b09cc17a4acb15abcb32
                                        SHA1:22bac6bed40f58042c26c64f27fa6d1ba62bdf8b
                                        SHA256:c51201337af75df4850b5392117e54eedfa2f1ac133e891947ece8102cdda0d0
                                        SHA512:2cdb43718de629e69a93e1ac138747d2550bf2a1a56bc265c19837171067d843a4aed83b6c95d04488b15cbd2a80b07c9f4412e5b787507575e09d333912b909
                                        SSDEEP:12288:/CfiaKJpEBPqhqZELFu0Hy52/aSMlon8NyPtGKN5VV2WJ9oaTXJmBupazmbME:/YitEsFS5+aSmoeyVG+V90OkswzSp
                                        TLSH:0A25232127FC2B70E27EEBFD44B622581BB3B60A5818E70D4ED915ED48B27890E54F13
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`................0.................. ........@.. .......................@............@................................

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x4eee9a
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0xC382600C [Sun Dec 10 03:16:28 2073 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xeee450x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x630.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xecd280x70.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xecea00xed000b6516cd0327bbbda3c2996f1cf62e07eFalse0.9642061000131856data7.963915363078747IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xf00000x6300x8007b77cf3233e7bc99b533ad7eb66a8612False0.33837890625data3.472619484078445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xf20000xc0x2003b211899f1d650392c2b3c9461fa1fd5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0xf00900x3a0data0.4224137931034483
                                        RT_MANIFEST0xf04400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-10-27T00:26:02.171573+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450032104.250.180.1787902TCP
                                        2024-10-27T00:26:11.441815+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449733104.250.180.1787902TCP
                                        2024-10-27T00:26:21.018529+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449736104.250.180.1787902TCP
                                        2024-10-27T00:26:30.527977+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743104.250.180.1787902TCP
                                        2024-10-27T00:26:40.017205+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449744104.250.180.1787902TCP
                                        2024-10-27T00:26:49.520874+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449745104.250.180.1787902TCP
                                        2024-10-27T00:26:59.044860+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449746104.250.180.1787902TCP
                                        2024-10-27T00:27:08.540749+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449764104.250.180.1787902TCP
                                        2024-10-27T00:27:18.086991+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449809104.250.180.1787902TCP
                                        2024-10-27T00:27:27.586798+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449861104.250.180.1787902TCP
                                        2024-10-27T00:27:37.115641+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449912104.250.180.1787902TCP
                                        2024-10-27T00:27:46.619432+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449968104.250.180.1787902TCP
                                        2024-10-27T00:27:56.337149+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450018104.250.180.1787902TCP
                                        2024-10-27T00:28:05.867282+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450019104.250.180.1787902TCP
                                        2024-10-27T00:28:15.362379+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450020104.250.180.1787902TCP
                                        2024-10-27T00:28:24.872246+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450021104.250.180.1787902TCP
                                        2024-10-27T00:28:34.379141+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450022104.250.180.1787902TCP
                                        2024-10-27T00:28:43.883422+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450023104.250.180.1787902TCP
                                        2024-10-27T00:28:53.389175+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450024104.250.180.1787902TCP
                                        2024-10-27T00:29:02.893154+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450025104.250.180.1787902TCP
                                        2024-10-27T00:29:12.408281+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450026104.250.180.1787902TCP
                                        2024-10-27T00:29:21.911274+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450027104.250.180.1787902TCP
                                        2024-10-27T00:29:31.414962+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450028104.250.180.1787902TCP
                                        2024-10-27T00:29:41.335258+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450029104.250.180.1787902TCP
                                        2024-10-27T00:29:50.848889+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450030104.250.180.1787902TCP
                                        2024-10-27T00:30:00.375238+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450031104.250.180.1787902TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 27, 2024 00:26:02.925770998 CEST497337902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:02.931269884 CEST790249733104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:02.931349039 CEST497337902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:02.936942101 CEST497337902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:02.942477942 CEST790249733104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:11.441689968 CEST790249733104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:11.441814899 CEST497337902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:11.442043066 CEST497337902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:11.447448969 CEST790249733104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:12.497822046 CEST497367902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:12.505711079 CEST790249736104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:12.505824089 CEST497367902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:12.511343002 CEST497367902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:12.518928051 CEST790249736104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:21.018374920 CEST790249736104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:21.018528938 CEST497367902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:21.018528938 CEST497367902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:21.026968002 CEST790249736104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:22.032020092 CEST497437902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:22.037512064 CEST790249743104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:22.037596941 CEST497437902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:22.041568995 CEST497437902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:22.047235012 CEST790249743104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:30.527714014 CEST790249743104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:30.527976990 CEST497437902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:30.528076887 CEST497437902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:30.537900925 CEST790249743104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:31.531426907 CEST497447902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:31.538259029 CEST790249744104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:31.539365053 CEST497447902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:31.543181896 CEST497447902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:31.551377058 CEST790249744104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:40.017126083 CEST790249744104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:40.017205000 CEST497447902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:40.017343044 CEST497447902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:40.024382114 CEST790249744104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:41.031599045 CEST497457902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:41.037056923 CEST790249745104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:41.037163973 CEST497457902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:41.042398930 CEST497457902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:41.047904968 CEST790249745104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:49.520778894 CEST790249745104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:49.520874023 CEST497457902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:49.520967007 CEST497457902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:49.528877974 CEST790249745104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:50.531455040 CEST497467902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:50.537054062 CEST790249746104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:50.537209988 CEST497467902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:50.540308952 CEST497467902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:50.545727968 CEST790249746104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:59.044761896 CEST790249746104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:26:59.044859886 CEST497467902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:59.044936895 CEST497467902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:26:59.050527096 CEST790249746104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:00.047102928 CEST497647902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:00.053775072 CEST790249764104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:00.053919077 CEST497647902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:00.057717085 CEST497647902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:00.064739943 CEST790249764104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:08.540679932 CEST790249764104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:08.540749073 CEST497647902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:08.601516008 CEST497647902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:08.608844042 CEST790249764104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:09.609819889 CEST498097902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:09.615430117 CEST790249809104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:09.615519047 CEST498097902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:09.620484114 CEST498097902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:09.625894070 CEST790249809104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:18.086889982 CEST790249809104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:18.086991072 CEST498097902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:18.087090015 CEST498097902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:18.094219923 CEST790249809104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:19.096577883 CEST498617902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:19.102230072 CEST790249861104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:19.102315903 CEST498617902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:19.105834007 CEST498617902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:19.111203909 CEST790249861104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:27.586596966 CEST790249861104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:27.586797953 CEST498617902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:27.586797953 CEST498617902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:27.593561888 CEST790249861104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:28.594064951 CEST499127902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:28.601944923 CEST790249912104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:28.605108976 CEST499127902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:28.608467102 CEST499127902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:28.615741968 CEST790249912104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:37.115571022 CEST790249912104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:37.115641117 CEST499127902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:37.115709066 CEST499127902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:37.121148109 CEST790249912104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:38.125417948 CEST499687902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:38.131344080 CEST790249968104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:38.133122921 CEST499687902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:38.137672901 CEST499687902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:38.143239021 CEST790249968104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:46.618154049 CEST790249968104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:46.619431973 CEST499687902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:46.619466066 CEST499687902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:46.627557993 CEST790249968104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:47.625256062 CEST500187902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:47.850748062 CEST790250018104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:47.850887060 CEST500187902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:47.854217052 CEST500187902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:47.859728098 CEST790250018104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:56.333108902 CEST790250018104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:56.337148905 CEST500187902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:56.337192059 CEST500187902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:56.342732906 CEST790250018104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:57.344043016 CEST500197902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:57.349750042 CEST790250019104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:27:57.349841118 CEST500197902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:57.354852915 CEST500197902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:27:57.360438108 CEST790250019104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:05.866651058 CEST790250019104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:05.867281914 CEST500197902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:05.867394924 CEST500197902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:05.877782106 CEST790250019104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:06.875277996 CEST500207902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:06.882936954 CEST790250020104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:06.883059978 CEST500207902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:06.886600018 CEST500207902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:06.894107103 CEST790250020104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:15.362301111 CEST790250020104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:15.362379074 CEST500207902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:15.362425089 CEST500207902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:15.369791031 CEST790250020104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:16.375317097 CEST500217902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:16.382437944 CEST790250021104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:16.383333921 CEST500217902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:16.386692047 CEST500217902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:16.393335104 CEST790250021104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:24.872124910 CEST790250021104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:24.872246027 CEST500217902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:24.872358084 CEST500217902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:24.877890110 CEST790250021104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:25.875284910 CEST500227902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:25.882445097 CEST790250022104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:25.885171890 CEST500227902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:25.888777018 CEST500227902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:25.895159960 CEST790250022104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:34.376568079 CEST790250022104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:34.379141092 CEST500227902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:34.379185915 CEST500227902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:34.384603977 CEST790250022104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:35.391011000 CEST500237902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:35.397222996 CEST790250023104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:35.399168015 CEST500237902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:35.402426958 CEST500237902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:35.407768011 CEST790250023104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:43.881776094 CEST790250023104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:43.883421898 CEST500237902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:43.883508921 CEST500237902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:43.888930082 CEST790250023104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:44.890861988 CEST500247902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:44.896296978 CEST790250024104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:44.896394014 CEST500247902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:44.899693012 CEST500247902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:44.904994965 CEST790250024104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:53.387403011 CEST790250024104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:53.389174938 CEST500247902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:53.389223099 CEST500247902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:53.394668102 CEST790250024104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:54.390933990 CEST500257902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:54.396464109 CEST790250025104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:28:54.397293091 CEST500257902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:54.400342941 CEST500257902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:28:54.405785084 CEST790250025104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:02.891782045 CEST790250025104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:02.893153906 CEST500257902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:02.893233061 CEST500257902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:02.898751020 CEST790250025104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:03.907094955 CEST500267902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:03.915143967 CEST790250026104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:03.915246010 CEST500267902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:03.918427944 CEST500267902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:03.926023960 CEST790250026104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:12.408138037 CEST790250026104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:12.408281088 CEST500267902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:12.408382893 CEST500267902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:12.413724899 CEST790250026104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:13.422362089 CEST500277902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:13.427927971 CEST790250027104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:13.428014994 CEST500277902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:13.431293011 CEST500277902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:13.436592102 CEST790250027104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:21.911201954 CEST790250027104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:21.911273956 CEST500277902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:21.911438942 CEST500277902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:21.918469906 CEST790250027104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:22.922404051 CEST500287902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:22.929789066 CEST790250028104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:22.929857969 CEST500287902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:22.934451103 CEST500287902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:22.942028999 CEST790250028104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:31.414736032 CEST790250028104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:31.414962053 CEST500287902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:31.415047884 CEST500287902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:31.422013044 CEST790250028104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:32.422440052 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:32.589818954 CEST790250029104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:32.590033054 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:32.597670078 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:32.603183031 CEST790250029104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:41.335170984 CEST790250029104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:41.335258007 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:41.335340023 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:41.336499929 CEST790250029104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:41.336564064 CEST500297902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:41.342693090 CEST790250029104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:42.345902920 CEST500307902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:42.352082968 CEST790250030104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:42.354579926 CEST500307902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:42.358387947 CEST500307902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:42.363871098 CEST790250030104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:50.848614931 CEST790250030104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:50.848889112 CEST500307902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:50.848951101 CEST500307902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:50.854614019 CEST790250030104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:51.859770060 CEST500317902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:51.865338087 CEST790250031104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:29:51.865525007 CEST500317902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:51.868838072 CEST500317902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:29:51.874229908 CEST790250031104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:30:00.373692989 CEST790250031104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:30:00.375237942 CEST500317902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:30:00.375237942 CEST500317902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:30:00.380732059 CEST790250031104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:30:01.390955925 CEST500327902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:30:01.396588087 CEST790250032104.250.180.178192.168.2.4
                                        Oct 27, 2024 00:30:01.397207022 CEST500327902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:30:01.400140047 CEST500327902192.168.2.4104.250.180.178
                                        Oct 27, 2024 00:30:01.405565023 CEST790250032104.250.180.178192.168.2.4

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:18:25:58
                                        Start date:26/10/2024
                                        Path:C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
                                        Imagebase:0xf50000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1723368053.0000000004B77000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:18:26:01
                                        Start date:26/10/2024
                                        Path:C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe"
                                        Imagebase:0x690000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1713552944.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:18:26:01
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0x7ff7699e0000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1744258599.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 68%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:18:26:02
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0xab0000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4148352229.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:18:26:11
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0x650000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.1834261255.0000000004317000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:18:26:12
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0xbe0000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.1828805181.0000000001417000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:18:26:19
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0x570000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1930488685.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:18:26:21
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0x4b0000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1911615420.0000000000B17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:18:26:28
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0xe70000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2011831278.0000000004D8D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:18:26:28
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0x80000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:18:26:28
                                        Start date:26/10/2024
                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                        Imagebase:0xed0000
                                        File size:973'824 bytes
                                        MD5 hash:CDB36D7E12B4B09CC17A4ACB15ABCB32
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1991312876.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:12.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:3.1%
                                          Total number of Nodes:319
                                          Total number of Limit Nodes:12
                                          execution_graph 62219 30fd01c 62220 30fd034 62219->62220 62221 30fd08e 62220->62221 62226 58e2808 62220->62226 62231 58e1aa8 62220->62231 62236 58e1a98 62220->62236 62241 58e2818 62220->62241 62227 58e2818 62226->62227 62228 58e2877 62227->62228 62246 58e2da8 62227->62246 62251 58e2d85 62227->62251 62232 58e1ace 62231->62232 62234 58e2808 2 API calls 62232->62234 62235 58e2818 2 API calls 62232->62235 62233 58e1aef 62233->62221 62234->62233 62235->62233 62237 58e1aa8 62236->62237 62239 58e2808 2 API calls 62237->62239 62240 58e2818 2 API calls 62237->62240 62238 58e1aef 62238->62221 62239->62238 62240->62238 62242 58e2845 62241->62242 62243 58e2877 62242->62243 62244 58e2da8 2 API calls 62242->62244 62245 58e2d85 2 API calls 62242->62245 62244->62243 62245->62243 62248 58e2dbc 62246->62248 62247 58e2e48 62247->62228 62256 58e2e50 62248->62256 62260 58e2e60 62248->62260 62253 58e2da8 62251->62253 62252 58e2e48 62252->62228 62254 58e2e50 2 API calls 62253->62254 62255 58e2e60 2 API calls 62253->62255 62254->62252 62255->62252 62257 58e2e60 62256->62257 62258 58e2e71 62257->62258 62263 58e4021 62257->62263 62258->62247 62261 58e2e71 62260->62261 62262 58e4021 2 API calls 62260->62262 62261->62247 62262->62261 62267 58e4040 62263->62267 62271 58e4050 62263->62271 62264 58e403a 62264->62258 62268 58e4050 62267->62268 62269 58e40ea CallWindowProcW 62268->62269 62270 58e4099 62268->62270 62269->62270 62270->62264 62272 58e4092 62271->62272 62274 58e4099 62271->62274 62273 58e40ea CallWindowProcW 62272->62273 62272->62274 62273->62274 62274->62264 61990 7f00ef8 61991 7f01083 61990->61991 61992 7f00f1e 61990->61992 61992->61991 61995 7f01170 61992->61995 61998 7f01178 PostMessageW 61992->61998 61996 7f01178 PostMessageW 61995->61996 61997 7f011e4 61996->61997 61997->61992 61999 7f011e4 61998->61999 61999->61992 62000 752f3d8 62001 752f3e4 62000->62001 62005 7a61b00 62001->62005 62009 7a61af0 62001->62009 62002 752f3f5 62006 7a61b1c 62005->62006 62013 7a62a28 62006->62013 62007 7a61bc6 62007->62002 62010 7a61b00 62009->62010 62012 7a62a28 2 API calls 62010->62012 62011 7a61bc6 62011->62002 62012->62011 62014 7a62a4a 62013->62014 62018 7a62a68 62014->62018 62022 7a62a78 62014->62022 62015 7a62a5e 62015->62007 62019 7a62a78 62018->62019 62026 7a62b38 62019->62026 62023 7a62a92 62022->62023 62025 7a62b38 2 API calls 62023->62025 62024 7a62ab5 62024->62015 62025->62024 62027 7a62b46 62026->62027 62031 7a62ca0 62027->62031 62035 7a62ca8 62027->62035 62028 7a62ab5 62028->62015 62032 7a62ca8 NtQueryInformationProcess 62031->62032 62034 7a62d36 62032->62034 62034->62028 62036 7a62cf3 NtQueryInformationProcess 62035->62036 62037 7a62d36 62036->62037 62037->62028 62038 314d3d8 62039 314d41e 62038->62039 62043 314d5b8 62039->62043 62046 314d5a8 62039->62046 62040 314d50b 62050 314b730 62043->62050 62047 314d5b8 62046->62047 62048 314b730 DuplicateHandle 62047->62048 62049 314d5e6 62048->62049 62049->62040 62051 314d620 DuplicateHandle 62050->62051 62052 314d5e6 62051->62052 62052->62040 62275 7a638fa 62276 7a63834 62275->62276 62279 7a640b1 62276->62279 62283 7a640b8 62276->62283 62280 7a640fe OutputDebugStringW 62279->62280 62282 7a64137 62280->62282 62282->62276 62284 7a640fe OutputDebugStringW 62283->62284 62286 7a64137 62284->62286 62286->62276 62053 7a6efab 62054 7a6efb5 62053->62054 62055 7a6ebd0 62053->62055 62055->62053 62056 7a6ec17 62055->62056 62060 7a6f5fe 62055->62060 62078 7a6f589 62055->62078 62095 7a6f598 62055->62095 62061 7a6f58c 62060->62061 62062 7a6f601 62060->62062 62067 7a6f5ba 62061->62067 62112 7f00291 62061->62112 62119 7f004ac 62061->62119 62124 7f0064b 62061->62124 62128 7f00706 62061->62128 62132 7f00245 62061->62132 62137 7f00340 62061->62137 62142 7f00140 62061->62142 62147 7f0039c 62061->62147 62151 7f005f7 62061->62151 62155 7f00b96 62061->62155 62160 7f003b6 62061->62160 62165 7f004f4 62061->62165 62170 7f002d4 62061->62170 62175 7f00ab3 62061->62175 62062->62056 62067->62056 62079 7a6f598 62078->62079 62080 7f00291 4 API calls 62079->62080 62081 7f00ab3 2 API calls 62079->62081 62082 7f002d4 2 API calls 62079->62082 62083 7f004f4 2 API calls 62079->62083 62084 7a6f5ba 62079->62084 62085 7f003b6 2 API calls 62079->62085 62086 7f00b96 2 API calls 62079->62086 62087 7f005f7 2 API calls 62079->62087 62088 7f0039c 2 API calls 62079->62088 62089 7f00140 2 API calls 62079->62089 62090 7f00340 2 API calls 62079->62090 62091 7f00245 2 API calls 62079->62091 62092 7f00706 2 API calls 62079->62092 62093 7f0064b 2 API calls 62079->62093 62094 7f004ac 2 API calls 62079->62094 62080->62084 62081->62084 62082->62084 62083->62084 62084->62056 62085->62084 62086->62084 62087->62084 62088->62084 62089->62084 62090->62084 62091->62084 62092->62084 62093->62084 62094->62084 62096 7a6f5b2 62095->62096 62097 7f00291 4 API calls 62096->62097 62098 7f00ab3 2 API calls 62096->62098 62099 7f002d4 2 API calls 62096->62099 62100 7f004f4 2 API calls 62096->62100 62101 7f003b6 2 API calls 62096->62101 62102 7f00b96 2 API calls 62096->62102 62103 7f005f7 2 API calls 62096->62103 62104 7f0039c 2 API calls 62096->62104 62105 7f00140 2 API calls 62096->62105 62106 7f00340 2 API calls 62096->62106 62107 7a6f5ba 62096->62107 62108 7f00245 2 API calls 62096->62108 62109 7f00706 2 API calls 62096->62109 62110 7f0064b 2 API calls 62096->62110 62111 7f004ac 2 API calls 62096->62111 62097->62107 62098->62107 62099->62107 62100->62107 62101->62107 62102->62107 62103->62107 62104->62107 62105->62107 62106->62107 62107->62056 62108->62107 62109->62107 62110->62107 62111->62107 62179 7a6e340 62112->62179 62183 7a6e339 62112->62183 62113 7f0023b 62114 7f0024d 62113->62114 62187 7a6e4d0 62113->62187 62191 7a6e4d8 62113->62191 62120 7f0023b 62119->62120 62121 7f0024d 62120->62121 62122 7a6e4d0 WriteProcessMemory 62120->62122 62123 7a6e4d8 WriteProcessMemory 62120->62123 62121->62067 62122->62120 62123->62120 62126 7a6e4d0 WriteProcessMemory 62124->62126 62127 7a6e4d8 WriteProcessMemory 62124->62127 62125 7f005e3 62125->62067 62126->62125 62127->62125 62195 7a6e410 62128->62195 62199 7a6e418 62128->62199 62129 7f00724 62133 7f0023b 62132->62133 62134 7f0024d 62133->62134 62135 7a6e4d0 WriteProcessMemory 62133->62135 62136 7a6e4d8 WriteProcessMemory 62133->62136 62135->62133 62136->62133 62138 7f00356 62137->62138 62140 7a6e4d0 WriteProcessMemory 62138->62140 62141 7a6e4d8 WriteProcessMemory 62138->62141 62139 7f0095d 62140->62139 62141->62139 62143 7f0017b 62142->62143 62203 7a6e754 62143->62203 62207 7a6e760 62143->62207 62148 7f003a2 62147->62148 62211 7a6e290 62148->62211 62215 7a6e289 62148->62215 62153 7a6e340 Wow64SetThreadContext 62151->62153 62154 7a6e339 Wow64SetThreadContext 62151->62154 62152 7f00611 62152->62067 62153->62152 62154->62152 62156 7f00ba3 62155->62156 62157 7f009fb 62155->62157 62158 7a6e290 ResumeThread 62157->62158 62159 7a6e289 ResumeThread 62157->62159 62158->62157 62159->62157 62161 7f0023b 62160->62161 62162 7f0024d 62161->62162 62163 7a6e4d0 WriteProcessMemory 62161->62163 62164 7a6e4d8 WriteProcessMemory 62161->62164 62163->62161 62164->62161 62168 7a6e4d0 WriteProcessMemory 62165->62168 62169 7a6e4d8 WriteProcessMemory 62165->62169 62166 7f0023b 62166->62165 62167 7f0024d 62166->62167 62168->62166 62169->62166 62171 7f002f7 62170->62171 62172 7f005e3 62171->62172 62173 7a6e4d0 WriteProcessMemory 62171->62173 62174 7a6e4d8 WriteProcessMemory 62171->62174 62172->62067 62173->62172 62174->62172 62176 7f009fb 62175->62176 62176->62175 62177 7a6e290 ResumeThread 62176->62177 62178 7a6e289 ResumeThread 62176->62178 62177->62176 62178->62176 62180 7a6e385 Wow64SetThreadContext 62179->62180 62182 7a6e3cd 62180->62182 62182->62113 62184 7a6e340 Wow64SetThreadContext 62183->62184 62186 7a6e3cd 62184->62186 62186->62113 62188 7a6e4d8 WriteProcessMemory 62187->62188 62190 7a6e577 62188->62190 62190->62113 62192 7a6e520 WriteProcessMemory 62191->62192 62194 7a6e577 62192->62194 62194->62113 62196 7a6e458 VirtualAllocEx 62195->62196 62198 7a6e495 62196->62198 62198->62129 62200 7a6e458 VirtualAllocEx 62199->62200 62202 7a6e495 62200->62202 62202->62129 62204 7a6e760 CreateProcessA 62203->62204 62206 7a6e9ab 62204->62206 62208 7a6e7e9 CreateProcessA 62207->62208 62210 7a6e9ab 62208->62210 62212 7a6e2d0 ResumeThread 62211->62212 62214 7a6e301 62212->62214 62214->62148 62216 7a6e290 ResumeThread 62215->62216 62218 7a6e301 62216->62218 62218->62148 62287 7a63778 62288 7a6379c 62287->62288 62289 7a640b1 OutputDebugStringW 62288->62289 62290 7a640b8 OutputDebugStringW 62288->62290 62289->62288 62290->62288 62291 58e74e0 62292 58e750d 62291->62292 62297 58e70d0 62292->62297 62294 58e75ac 62301 58e7100 62294->62301 62296 58e79fb 62298 58e70db 62297->62298 62299 58e7100 3 API calls 62298->62299 62300 58ea415 62298->62300 62299->62300 62300->62294 62302 58e710b 62301->62302 62306 3145cc4 62302->62306 62310 31471b7 62302->62310 62303 58ea5ac 62303->62296 62307 3145ccf 62306->62307 62314 3145cf4 62307->62314 62309 314726d 62309->62303 62311 31471c8 62310->62311 62312 3145cf4 3 API calls 62311->62312 62313 314726d 62312->62313 62313->62303 62315 3145cff 62314->62315 62317 314856b 62315->62317 62321 314ac19 62315->62321 62316 31485a9 62316->62309 62317->62316 62325 314cd10 62317->62325 62330 314cd00 62317->62330 62336 314ac50 62321->62336 62339 314ac40 62321->62339 62322 314ac2e 62322->62317 62326 314cd31 62325->62326 62327 314cd55 62326->62327 62348 314ceb0 62326->62348 62352 314cec0 62326->62352 62327->62316 62331 314ccb3 62330->62331 62333 314cd06 62330->62333 62331->62316 62332 314cd55 62332->62316 62333->62332 62334 314ceb0 3 API calls 62333->62334 62335 314cec0 3 API calls 62333->62335 62334->62332 62335->62332 62343 314ad48 62336->62343 62337 314ac5f 62337->62322 62340 314ac50 62339->62340 62342 314ad48 GetModuleHandleW 62340->62342 62341 314ac5f 62341->62322 62342->62341 62344 314ad7c 62343->62344 62345 314ad59 62343->62345 62344->62337 62345->62344 62346 314af80 GetModuleHandleW 62345->62346 62347 314afad 62346->62347 62347->62337 62349 314cec0 62348->62349 62351 314cf07 62349->62351 62356 314b720 62349->62356 62351->62327 62353 314cecd 62352->62353 62354 314cf07 62353->62354 62355 314b720 3 API calls 62353->62355 62354->62327 62355->62354 62357 314b72b 62356->62357 62359 314dc18 62357->62359 62360 314d024 62357->62360 62359->62359 62361 314d02f 62360->62361 62362 3145cf4 3 API calls 62361->62362 62363 314dc87 62362->62363 62367 314fa08 62363->62367 62372 314f9f0 62363->62372 62364 314dcc1 62364->62359 62368 314fa45 62367->62368 62369 314fa39 62367->62369 62368->62364 62369->62368 62377 58e09b3 62369->62377 62382 58e09c0 62369->62382 62374 314fa08 62372->62374 62373 314fa45 62373->62364 62374->62373 62375 58e09b3 2 API calls 62374->62375 62376 58e09c0 2 API calls 62374->62376 62375->62373 62376->62373 62378 58e09c0 62377->62378 62379 58e0a9a 62378->62379 62387 58e1890 62378->62387 62392 58e18a0 62378->62392 62383 58e09eb 62382->62383 62384 58e0a9a 62383->62384 62385 58e1890 2 API calls 62383->62385 62386 58e18a0 2 API calls 62383->62386 62385->62384 62386->62384 62388 58e18a0 62387->62388 62390 58e18e4 CreateWindowExW 62388->62390 62391 58e18f0 CreateWindowExW 62388->62391 62389 58e18d5 62389->62379 62390->62389 62391->62389 62394 58e18e4 CreateWindowExW 62392->62394 62395 58e18f0 CreateWindowExW 62392->62395 62393 58e18d5 62393->62379 62394->62393 62395->62393 62396 7a6e5c8 62397 7a6e613 ReadProcessMemory 62396->62397 62399 7a6e657 62397->62399

                                          Executed Functions

                                          Function 0752CA10 Relevance: 6.1, Strings: 4, Instructions: 1119COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (odq$4'dq$4'dq$4'dq
                                          • API String ID: 0-3599379907
                                          • Opcode ID: f7e9805f0f40685e66db7980dfe7fd6fa13dc7688bcf88e379449f8557a8b5e7
                                          • Instruction ID: 049a7ca058bd585d55c5dc8c3bb2d81c695ec66799a2365db399b1bf6f54cb46
                                          • Opcode Fuzzy Hash: f7e9805f0f40685e66db7980dfe7fd6fa13dc7688bcf88e379449f8557a8b5e7
                                          • Instruction Fuzzy Hash: 78A272B070061A9FCB15CF68C484AEEBBB6FF8A310F158556E405DB3A1D735E842DBA1
                                          Function 0752A158 Relevance: 5.3, Strings: 4, Instructions: 329COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 929 752a158-752a17b 930 752a186-752a1a6 929->930 931 752a17d-752a183 929->931 934 752a1a8 930->934 935 752a1ad-752a1b4 930->935 931->930 937 752a53c-752a545 934->937 936 752a1b6-752a1c1 935->936 938 752a1c7-752a1da 936->938 939 752a54d-752a55b 936->939 942 752a1f0-752a20b 938->942 943 752a1dc-752a1ea 938->943 947 752a22f-752a232 942->947 948 752a20d-752a213 942->948 943->942 946 752a4c4-752a4cb 943->946 946->937 953 752a4cd-752a4cf 946->953 949 752a238-752a23b 947->949 950 752a38c-752a392 947->950 951 752a215 948->951 952 752a21c-752a21f 948->952 949->950 956 752a241-752a247 949->956 954 752a398-752a39d 950->954 955 752a47e-752a481 950->955 951->950 951->952 951->955 957 752a252-752a258 951->957 952->957 958 752a221-752a224 952->958 959 752a4d1-752a4d6 953->959 960 752a4de-752a4e4 953->960 954->955 963 752a487-752a48d 955->963 964 752a548 955->964 956->950 962 752a24d 956->962 965 752a25a-752a25c 957->965 966 752a25e-752a260 957->966 967 752a22a 958->967 968 752a2be-752a2c4 958->968 959->960 960->939 961 752a4e6-752a4eb 960->961 969 752a530-752a533 961->969 970 752a4ed-752a4f2 961->970 962->955 972 752a4b2-752a4b6 963->972 973 752a48f-752a497 963->973 964->939 974 752a26a-752a273 965->974 966->974 967->955 968->955 971 752a2ca-752a2d0 968->971 969->964 982 752a535-752a53a 969->982 970->964 975 752a4f4 970->975 976 752a2d2-752a2d4 971->976 977 752a2d6-752a2d8 971->977 972->946 981 752a4b8-752a4be 972->981 973->939 978 752a49d-752a4ac 973->978 979 752a286-752a2ae 974->979 980 752a275-752a280 974->980 983 752a4fb-752a500 975->983 984 752a2e2-752a2f9 976->984 977->984 978->942 978->972 1002 752a3a2-752a3d8 979->1002 1003 752a2b4-752a2b9 979->1003 980->955 980->979 981->936 981->946 982->937 982->953 985 752a522-752a524 983->985 986 752a502-752a504 983->986 995 752a324-752a34b 984->995 996 752a2fb-752a314 984->996 985->964 993 752a526-752a529 985->993 990 752a513-752a519 986->990 991 752a506-752a50b 986->991 990->939 994 752a51b-752a520 990->994 991->990 993->969 994->985 998 752a4f6-752a4f9 994->998 995->964 1008 752a351-752a354 995->1008 996->1002 1006 752a31a-752a31f 996->1006 998->964 998->983 1009 752a3e5-752a3ed 1002->1009 1010 752a3da-752a3de 1002->1010 1003->1002 1006->1002 1008->964 1011 752a35a-752a383 1008->1011 1009->964 1014 752a3f3-752a3f8 1009->1014 1012 752a3e0-752a3e3 1010->1012 1013 752a3fd-752a401 1010->1013 1011->1002 1026 752a385-752a38a 1011->1026 1012->1009 1012->1013 1015 752a403-752a409 1013->1015 1016 752a420-752a424 1013->1016 1014->955 1015->1016 1018 752a40b-752a413 1015->1018 1019 752a426-752a42c 1016->1019 1020 752a42e-752a44d call 752a730 1016->1020 1018->964 1021 752a419-752a41e 1018->1021 1019->1020 1023 752a453-752a457 1019->1023 1020->1023 1021->955 1023->955 1024 752a459-752a475 1023->1024 1024->955 1026->1002
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (odq$(odq$,hq$,hq
                                          • API String ID: 0-1125629291
                                          • Opcode ID: 6ebb70137b5d6f982557b7111560561d38e2bc7228a2163c1f57f475cadd0251
                                          • Instruction ID: 168f94aa3e7a91ba3e2414b1b9b46016cb6d524dbb1fc0f297a4192a880512a1
                                          • Opcode Fuzzy Hash: 6ebb70137b5d6f982557b7111560561d38e2bc7228a2163c1f57f475cadd0251
                                          • Instruction Fuzzy Hash: 97D12FB1A00129DFCB14CFA9D984ADDBBB2BF8A300F15C156E805AB2A5D735DD42DF50
                                          Function 058E74E0 Relevance: 3.9, Strings: 1, Instructions: 2684COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1379 58e74e0-58e750b 1380 58e750d 1379->1380 1381 58e7512-58e7f69 call 58e70d0 call 58e70e0 * 20 call 58e70f0 call 58e7100 call 58e7110 * 3 call 58e7120 call 58e7130 call 58e7140 call 58e7150 call 58e7160 call 58e7170 call 58e7180 call 58e7190 call 314eb23 call 58e71a0 call 58e71b0 call 58e71c0 call 58e71d0 call 58e71e0 1379->1381 1380->1381 1981 58e7f6c call 75267b2 1381->1981 1982 58e7f6c call 75267c0 1381->1982 1552 58e7f6e-58e810d call 58e71f0 call 58e71a0 call 58e7200 call 58e71e0 1571 58e810f 1552->1571 1572 58e8114-58e8253 1552->1572 1571->1572 1979 58e8259 call 7528008 1572->1979 1980 58e8259 call 7527ff8 1572->1980 1586 58e825f-58e9bff call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e71e0 call 58e7210 call 58e7120 call 58e7130 call 58e7140 call 58e7150 call 58e7170 call 58e7180 1868 58e9c29 1586->1868 1869 58e9c01-58e9c0d 1586->1869 1872 58e9c2f-58e9da8 call 58e7220 call 58e71a0 call 58e7210 1868->1872 1870 58e9c0f-58e9c15 1869->1870 1871 58e9c17-58e9c1d 1869->1871 1873 58e9c27 1870->1873 1871->1873 1889 58e9daa-58e9db6 1872->1889 1890 58e9dd2 1872->1890 1873->1872 1892 58e9db8-58e9dbe 1889->1892 1893 58e9dc0-58e9dc6 1889->1893 1891 58e9dd8-58e9f51 call 58e7220 call 58e71a0 call 58e7210 1890->1891 1910 58e9f7b 1891->1910 1911 58e9f53-58e9f5f 1891->1911 1894 58e9dd0 1892->1894 1893->1894 1894->1891 1912 58e9f81-58ea261 call 58e7220 call 58e71a0 call 58e7210 call 58e7230 call 58e7240 call 58e7250 call 58e7260 * 2 call 58e7130 1910->1912 1913 58e9f69-58e9f6f 1911->1913 1914 58e9f61-58e9f67 1911->1914 1950 58ea28b 1912->1950 1951 58ea263-58ea26f 1912->1951 1915 58e9f79 1913->1915 1914->1915 1915->1912 1954 58ea291-58ea3d2 call 58e7270 call 58e7280 call 58e7290 call 58e72a0 call 58e7150 call 58e72b0 call 58e72c0 * 3 1950->1954 1952 58ea279-58ea27f 1951->1952 1953 58ea271-58ea277 1951->1953 1955 58ea289 1952->1955 1953->1955 1955->1954 1979->1586 1980->1586 1981->1552 1982->1552
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Ppdq
                                          • API String ID: 0-2552977383
                                          • Opcode ID: 464e75c7b6787dc7717ceab5b225ec7379542d4080b0d301c8a0d54e5a161bac
                                          • Instruction ID: 0353efdc1e80b5c1d7a03bd5567ff4ce2c7c8630106c8f4ce30a0bcaa10c5b1a
                                          • Opcode Fuzzy Hash: 464e75c7b6787dc7717ceab5b225ec7379542d4080b0d301c8a0d54e5a161bac
                                          • Instruction Fuzzy Hash: 0453A574A00219CFCB25DF28C894B99B7B1FF89305F1145E9EA09AB361DB31AE85CF45
                                          Function 058E74D3 Relevance: 3.9, Strings: 1, Instructions: 2672COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1984 58e74d3-58e750b 1986 58e750d 1984->1986 1987 58e7512-58e7591 1984->1987 1986->1987 1995 58e759b-58e75a7 call 58e70d0 1987->1995 1997 58e75ac-58e75c3 1995->1997 1999 58e75cd-58e75d9 call 58e70e0 1997->1999 2001 58e75de-58e79e0 call 58e70e0 * 19 call 58e70f0 1999->2001 2083 58e79ea-58e79f6 call 58e7100 2001->2083 2085 58e79fb-58e7a12 2083->2085 2087 58e7a1c-58e7a28 call 58e7110 2085->2087 2089 58e7a2d-58e7af8 call 58e7110 * 2 2087->2089 2102 58e7b03-58e7b16 call 58e7120 2089->2102 2104 58e7b1b-58e7b1c 2102->2104 2105 58e7b26-58e7b59 call 58e7130 2104->2105 2107 58e7b5e-58e7c02 2105->2107 2114 58e7c0c-58e7c15 2107->2114 2115 58e7c1d-58e7caf call 58e7140 call 58e7150 call 58e7160 2114->2115 2123 58e7cb9-58e7ccd call 58e7170 2115->2123 2125 58e7cd2-58e7d00 call 58e7180 2123->2125 2128 58e7d05-58e7d14 call 58e7190 2125->2128 2130 58e7d19-58e7dcc 2128->2130 2137 58e7dd6-58e7de1 call 314eb23 2130->2137 2138 58e7de7-58e7f45 call 58e71a0 call 58e71b0 call 58e71c0 call 58e71d0 call 58e71e0 2137->2138 2157 58e7f50-58e7f69 2138->2157 2587 58e7f6c call 75267b2 2157->2587 2588 58e7f6c call 75267c0 2157->2588 2158 58e7f6e-58e7f82 call 58e71f0 2160 58e7f87-58e7f9c call 58e71a0 2158->2160 2162 58e7fa1-58e7fb5 call 58e7200 2160->2162 2164 58e7fba-58e80a9 call 58e71e0 2162->2164 2173 58e80b0-58e80ce 2164->2173 2174 58e80d9-58e80e5 2173->2174 2175 58e80ef-58e80f7 2174->2175 2176 58e80fd-58e810d 2175->2176 2177 58e810f 2176->2177 2178 58e8114-58e822e 2176->2178 2177->2178 2191 58e8239-58e8253 2178->2191 2585 58e8259 call 7528008 2191->2585 2586 58e8259 call 7527ff8 2191->2586 2192 58e825f-58e9bff call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e71a0 call 58e7200 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e71a0 call 58e71e0 call 58e7210 call 58e7190 call 58e71a0 call 58e71e0 call 58e71a0 call 58e71e0 call 58e7210 call 58e7120 call 58e7130 call 58e7140 call 58e7150 call 58e7170 call 58e7180 2474 58e9c29 2192->2474 2475 58e9c01-58e9c0d 2192->2475 2478 58e9c2f-58e9da8 call 58e7220 call 58e71a0 call 58e7210 2474->2478 2476 58e9c0f-58e9c15 2475->2476 2477 58e9c17-58e9c1d 2475->2477 2479 58e9c27 2476->2479 2477->2479 2495 58e9daa-58e9db6 2478->2495 2496 58e9dd2 2478->2496 2479->2478 2498 58e9db8-58e9dbe 2495->2498 2499 58e9dc0-58e9dc6 2495->2499 2497 58e9dd8-58e9f51 call 58e7220 call 58e71a0 call 58e7210 2496->2497 2516 58e9f7b 2497->2516 2517 58e9f53-58e9f5f 2497->2517 2500 58e9dd0 2498->2500 2499->2500 2500->2497 2518 58e9f81-58ea261 call 58e7220 call 58e71a0 call 58e7210 call 58e7230 call 58e7240 call 58e7250 call 58e7260 * 2 call 58e7130 2516->2518 2519 58e9f69-58e9f6f 2517->2519 2520 58e9f61-58e9f67 2517->2520 2556 58ea28b 2518->2556 2557 58ea263-58ea26f 2518->2557 2521 58e9f79 2519->2521 2520->2521 2521->2518 2560 58ea291-58ea3d2 call 58e7270 call 58e7280 call 58e7290 call 58e72a0 call 58e7150 call 58e72b0 call 58e72c0 * 3 2556->2560 2558 58ea279-58ea27f 2557->2558 2559 58ea271-58ea277 2557->2559 2561 58ea289 2558->2561 2559->2561 2561->2560 2585->2192 2586->2192 2587->2158 2588->2158
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Ppdq
                                          • API String ID: 0-2552977383
                                          • Opcode ID: 2116adfa374e142e7bbe93ade0ece8832a99ca7c649591c73b0c490c1533b82e
                                          • Instruction ID: ffed899d90e4547f273368adc64a68391711884e388917bc32f63ba393100540
                                          • Opcode Fuzzy Hash: 2116adfa374e142e7bbe93ade0ece8832a99ca7c649591c73b0c490c1533b82e
                                          • Instruction Fuzzy Hash: 7353A474A00219CFCB25DF28C894B99B7B1FF89305F1145E9EA09AB361DB31AE85CF45
                                          Function 075299E0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2612 75299e0-75299ec 2613 75299f9-7529a26 2612->2613 2614 75299ee-75299f6 2612->2614 2615 7529ff1-752a04c call 752a158 2613->2615 2616 7529a2c-7529a3a 2613->2616 2614->2613 2630 752a04e-752a052 2615->2630 2631 752a09c-752a0a0 2615->2631 2619 7529a68-7529a79 2616->2619 2620 7529a3c-7529a4d 2616->2620 2622 7529aea-7529afe 2619->2622 2623 7529a7b-7529a7f 2619->2623 2620->2619 2632 7529a4f-7529a5b 2620->2632 2762 7529b01 call 75299e0 2622->2762 2763 7529b01 call 752a008 2622->2763 2626 7529a81-7529a8d 2623->2626 2627 7529a9a-7529aa3 2623->2627 2634 7529a93-7529a95 2626->2634 2635 7529e1b-7529e66 2626->2635 2628 7529aa9-7529aac 2627->2628 2629 7529dac 2627->2629 2628->2629 2637 7529ab2-7529ad1 2628->2637 2642 7529db1-7529e14 2629->2642 2638 752a061-752a068 2630->2638 2639 752a054-752a059 2630->2639 2640 752a0a2-752a0b1 2631->2640 2641 752a0b7-752a0cb 2631->2641 2632->2642 2643 7529a61-7529a63 2632->2643 2633 7529b07-7529b0d 2644 7529b16-7529b1d 2633->2644 2645 7529b0f-7529b11 2633->2645 2636 7529da2-7529da9 2634->2636 2714 7529e6d-7529eec 2635->2714 2637->2629 2680 7529ad7-7529add 2637->2680 2647 752a13e-752a154 2638->2647 2648 752a06e-752a075 2638->2648 2639->2638 2649 752a0b3-752a0b5 2640->2649 2650 752a0dd-752a0e7 2640->2650 2651 752a0d3-752a0da 2641->2651 2764 752a0cd call 752cee3 2641->2764 2765 752a0cd call 752ca10 2641->2765 2766 752a0cd call 752ca01 2641->2766 2767 752a0cd call 752cef6 2641->2767 2768 752a0cd call 752ccc8 2641->2768 2642->2635 2643->2636 2652 7529b23-7529b3a 2644->2652 2653 7529c0b-7529c1c 2644->2653 2645->2636 2668 752a156-752a157 2647->2668 2669 752a168 2647->2669 2648->2631 2656 752a077-752a07b 2648->2656 2649->2651 2657 752a0f1 2650->2657 2658 752a0e9-752a0ef 2650->2658 2652->2653 2670 7529b40-7529b4c 2652->2670 2673 7529c46-7529c4c 2653->2673 2674 7529c1e-7529c2b 2653->2674 2662 752a08a-752a091 2656->2662 2663 752a07d-752a082 2656->2663 2665 752a0f3-752a0f5 2657->2665 2664 752a0fd-752a137 2658->2664 2662->2647 2675 752a097-752a09a 2662->2675 2663->2662 2664->2647 2665->2664 2667 752a0f7 2665->2667 2667->2664 2668->2669 2669->2665 2676 752a16a-752a171 2669->2676 2677 7529b52-7529bbe 2670->2677 2678 7529c04-7529c06 2670->2678 2682 7529c67-7529c6d 2673->2682 2683 7529c4e-7529c5a 2673->2683 2674->2682 2694 7529c2d-7529c39 2674->2694 2675->2651 2718 7529bc0-7529bea 2677->2718 2719 7529bec-7529c01 2677->2719 2678->2636 2680->2615 2687 7529ae3-7529ae7 2680->2687 2684 7529c73-7529c90 2682->2684 2685 7529d9f 2682->2685 2689 7529f03-7529f66 2683->2689 2690 7529c60-7529c62 2683->2690 2684->2629 2707 7529c96-7529c99 2684->2707 2685->2636 2687->2622 2742 7529f6d-7529fec 2689->2742 2690->2636 2698 7529ef1-7529efc 2694->2698 2699 7529c3f-7529c41 2694->2699 2698->2689 2699->2636 2707->2615 2711 7529c9f-7529cc5 2707->2711 2711->2685 2724 7529ccb-7529cd7 2711->2724 2718->2719 2719->2678 2727 7529d9b-7529d9d 2724->2727 2728 7529cdd-7529d55 2724->2728 2727->2636 2743 7529d83-7529d98 2728->2743 2744 7529d57-7529d81 2728->2744 2743->2727 2744->2743 2762->2633 2763->2633 2764->2651 2765->2651 2766->2651 2767->2651 2768->2651
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (odq$Hhq
                                          • API String ID: 0-1720555311
                                          • Opcode ID: 9b0b2b52a1b280a6efa6ba976c0005c826fa65bd0337f3df92bca1d2441a5f5a
                                          • Instruction ID: 4b2c370d3e18103fb39b584f80e043678fe640f9aa41404aeebaedbcaec5b41e
                                          • Opcode Fuzzy Hash: 9b0b2b52a1b280a6efa6ba976c0005c826fa65bd0337f3df92bca1d2441a5f5a
                                          • Instruction Fuzzy Hash: 551283B0A002299FDB54DF69C8547AEBBF6BF89300F148569E905EB390DF349D42DB90
                                          Function 07F01B58 Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728526280.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7f00000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: U
                                          • API String ID: 0-3372436214
                                          • Opcode ID: 12b73fbe8083fc0717d3fd96e0fd78c46f373d4689667c1187164fde9ded22b9
                                          • Instruction ID: 87502bdbf5962eb3e50da4f65819774c48dfd9bbd9540e093a50f0cc114205f5
                                          • Opcode Fuzzy Hash: 12b73fbe8083fc0717d3fd96e0fd78c46f373d4689667c1187164fde9ded22b9
                                          • Instruction Fuzzy Hash: 01C1EDB1B007098FEB29DB75C4507AEB7FAAF89701F188469D1468B7D0DB35E801CB92
                                          Function 07A62CA0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07A62D27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: InformationProcessQuery
                                          • String ID:
                                          • API String ID: 1778838933-0
                                          • Opcode ID: d567424a7d6d12043843817ad2aa4cc3f6aaa4609cb6a1aa43dc137863a3aa9d
                                          • Instruction ID: 9f599214e00c2f998974cf59a4f0f1db9d70d5bb6e7b6a4e4a07b1cdc0e299b8
                                          • Opcode Fuzzy Hash: d567424a7d6d12043843817ad2aa4cc3f6aaa4609cb6a1aa43dc137863a3aa9d
                                          • Instruction Fuzzy Hash: 6B21D0B6901349DFCB10DF9AD885ADEFBF4FB48320F10851AE918A7650C375A554CFA1
                                          Function 07A62CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07A62D27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: InformationProcessQuery
                                          • String ID:
                                          • API String ID: 1778838933-0
                                          • Opcode ID: f40c53173b5e4da719a1c61b804e84074cee7d144fab1751757e5f1dcfaef274
                                          • Instruction ID: a9f7929012a8c704e4ae95690b51abec94df8c9182cd10cc6629f4ed396956e5
                                          • Opcode Fuzzy Hash: f40c53173b5e4da719a1c61b804e84074cee7d144fab1751757e5f1dcfaef274
                                          • Instruction Fuzzy Hash: D721BDB5901359DFCB10DF9AD884ADEBBF5FB48310F10842AE918A7250C375A944CFA5
                                          Function 07A60040 Relevance: .5, Instructions: 506COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc636fb86743f26b9775b9e6290786fa680110687eabc4b5e2e642efdccf6991
                                          • Instruction ID: a2e36a61d4f4566b1d16dfa41fcd632830636a634a7e83b5015ea14435863cee
                                          • Opcode Fuzzy Hash: fc636fb86743f26b9775b9e6290786fa680110687eabc4b5e2e642efdccf6991
                                          • Instruction Fuzzy Hash: 5D4292B4E01219CFDB14CFA9D984B9DBBF2BF48301F1481A9E819AB355D734AA81CF50
                                          Function 0752F3F8 Relevance: .5, Instructions: 489COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc923a0d46f200a80216771aa7f1c632f84f8374429b136d620f9fb62a8f7500
                                          • Instruction ID: 09baf1c81bf75c2f941390bbc3098b5cf22b41f82fae88b12091f36773be33e6
                                          • Opcode Fuzzy Hash: fc923a0d46f200a80216771aa7f1c632f84f8374429b136d620f9fb62a8f7500
                                          • Instruction Fuzzy Hash: 5032D3B0901229CFDB50DF69D680A9EFBB2FF49315F55D195D408AB291CB30E986CFA0
                                          Function 07A63404 Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 537744380e4bac620645e0866f6c7f8a4210f232af81de2118029b52509ba039
                                          • Instruction ID: 21304f00b33b1bb1aad64f68bca323cd50cc0676a97d7e5adb9873df338b0121
                                          • Opcode Fuzzy Hash: 537744380e4bac620645e0866f6c7f8a4210f232af81de2118029b52509ba039
                                          • Instruction Fuzzy Hash: FC614A75E002599FCF05DFA9D8489FEBBF2EF89310F10842AE815A7254DB749A06CB50
                                          Function 07A60007 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f74a3d38ac5eb08719314803568188d54c873b4a06878ca21bcaad81a9f87320
                                          • Instruction ID: 8665f4d9bbec46357b609164a38fa71e802499234143882fa719a8f352f6fcec
                                          • Opcode Fuzzy Hash: f74a3d38ac5eb08719314803568188d54c873b4a06878ca21bcaad81a9f87320
                                          • Instruction Fuzzy Hash: 387106B4E01218CFDB19CF6AD894BDEBBB2BF89310F1481AAD814AB365D7345981CF50
                                          Function 07A65020 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 060a38e457579f2b92f2a2a457e1bd7deb11d65f4493095fe72c869ab2f4774f
                                          • Instruction ID: 4736603fa9f99548baf6a85e17e9a423b79fa6fa1351130c86fd4dbe08cc9c26
                                          • Opcode Fuzzy Hash: 060a38e457579f2b92f2a2a457e1bd7deb11d65f4493095fe72c869ab2f4774f
                                          • Instruction Fuzzy Hash: 1A5193B1D016199FDB04DFEAC9446EEFBB2FF89301F10802AE819AB254DB745A46CF50
                                          Function 07A65013 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bb7ee6244b2a17deacdf233bae521b2e0a576b942c1ef7f6b9e9df2043aac6a
                                          • Instruction ID: c905de50cf369e57bf7ab220bfe8f733f1d0a61d48e64a27ed49fabd3bb7ff2b
                                          • Opcode Fuzzy Hash: 3bb7ee6244b2a17deacdf233bae521b2e0a576b942c1ef7f6b9e9df2043aac6a
                                          • Instruction Fuzzy Hash: 584192B1E006599FDB08DFAAC9856EEFBF2AF89300F14C16AD418AB254DB345A45CF50
                                          Function 07A68AB1 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e216916f35621c278d94ed618633138f64584976d732135b7122136d843d779
                                          • Instruction ID: 6a92d5fa8b0313eee021431d0fecf9815f2c3f54eb04b9b2b68d676648613c94
                                          • Opcode Fuzzy Hash: 1e216916f35621c278d94ed618633138f64584976d732135b7122136d843d779
                                          • Instruction Fuzzy Hash: 7F21E4B1D056588BEB18CFA7C8497EEFFB6AFD9300F04C06AD41966264DB7805458F90
                                          Function 07A68AC0 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d1fe3dab3774936e0bac31a44a8e16ca6009bc32d0dc3a928b85cab1b914410
                                          • Instruction ID: 054df5c32e46ca1f868ada3fed67315e48df52feb59e4b43a35a52657fba9199
                                          • Opcode Fuzzy Hash: 2d1fe3dab3774936e0bac31a44a8e16ca6009bc32d0dc3a928b85cab1b914410
                                          • Instruction Fuzzy Hash: 7621C5B1D116188BEB18CF9BC8497EEFAF6BFC9300F04C06AD41976264DB7919458F50
                                          Function 0752A730 Relevance: 10.5, Strings: 8, Instructions: 477COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 752a730-752a765 295 752ab94-752ab98 294->295 296 752a76b-752a78e 294->296 297 752abb1-752abbf 295->297 298 752ab9a-752abae 295->298 305 752a794-752a7a1 296->305 306 752a83c-752a840 296->306 303 752ac30-752ac45 297->303 304 752abc1-752abd6 297->304 314 752ac47-752ac4a 303->314 315 752ac4c-752ac59 303->315 316 752abd8-752abdb 304->316 317 752abdd-752abea 304->317 322 752a7a3-752a7ae 305->322 323 752a7b0 305->323 307 752a842-752a850 306->307 308 752a888-752a891 306->308 307->308 330 752a852-752a86d 307->330 311 752aca7 308->311 312 752a897-752a8a1 308->312 324 752acac-752acdc 311->324 312->295 320 752a8a7-752a8b0 312->320 318 752ac5b-752ac96 314->318 315->318 319 752abec-752ac2d 316->319 317->319 371 752ac9d-752aca4 318->371 328 752a8b2-752a8b7 320->328 329 752a8bf-752a8cb 320->329 325 752a7b2-752a7b4 322->325 323->325 347 752acf5-752acfc 324->347 348 752acde-752acf4 324->348 325->306 331 752a7ba-752a81c 325->331 328->329 329->324 334 752a8d1-752a8d7 329->334 354 752a87b 330->354 355 752a86f-752a879 330->355 382 752a822-752a839 331->382 383 752a81e 331->383 337 752ab7e-752ab82 334->337 338 752a8dd-752a8ed 334->338 337->311 341 752ab88-752ab8e 337->341 352 752a901-752a903 338->352 353 752a8ef-752a8ff 338->353 341->295 341->320 356 752a906-752a90c 352->356 353->356 357 752a87d-752a87f 354->357 355->357 356->337 358 752a912-752a921 356->358 357->308 359 752a881 357->359 366 752a927 358->366 367 752a9cf-752a9fa call 752a578 * 2 358->367 359->308 369 752a92a-752a93b 366->369 384 752aa00-752aa04 367->384 385 752aae4-752aafe 367->385 369->324 373 752a941-752a953 369->373 373->324 375 752a959-752a971 373->375 438 752a973 call 752ad10 375->438 439 752a973 call 752ad00 375->439 378 752a979-752a989 378->337 381 752a98f-752a992 378->381 386 752a994-752a99a 381->386 387 752a99c-752a99f 381->387 382->306 383->382 384->337 389 752aa0a-752aa0e 384->389 385->295 407 752ab04-752ab08 385->407 386->387 390 752a9a5-752a9a8 386->390 387->311 387->390 392 752aa10-752aa1d 389->392 393 752aa36-752aa3c 389->393 394 752a9b0-752a9b3 390->394 395 752a9aa-752a9ae 390->395 410 752aa1f-752aa2a 392->410 411 752aa2c 392->411 396 752aa77-752aa7d 393->396 397 752aa3e-752aa42 393->397 394->311 398 752a9b9-752a9bd 394->398 395->394 395->398 400 752aa89-752aa8f 396->400 401 752aa7f-752aa83 396->401 397->396 399 752aa44-752aa4d 397->399 398->311 404 752a9c3-752a9c9 398->404 405 752aa4f-752aa54 399->405 406 752aa5c-752aa72 399->406 408 752aa91-752aa95 400->408 409 752aa9b-752aa9d 400->409 401->371 401->400 404->367 404->369 405->406 406->337 413 752ab44-752ab48 407->413 414 752ab0a-752ab14 call 7529418 407->414 408->337 408->409 415 752aad2-752aad4 409->415 416 752aa9f-752aaa8 409->416 412 752aa2e-752aa30 410->412 411->412 412->337 412->393 413->371 419 752ab4e-752ab52 413->419 414->413 427 752ab16-752ab2b 414->427 415->337 417 752aada-752aae1 415->417 422 752aab7-752aacd 416->422 423 752aaaa-752aaaf 416->423 419->371 424 752ab58-752ab65 419->424 422->337 423->422 430 752ab67-752ab72 424->430 431 752ab74 424->431 427->413 435 752ab2d-752ab42 427->435 432 752ab76-752ab78 430->432 431->432 432->337 432->371 435->295 435->413 438->378 439->378
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (odq$(odq$(odq$(odq$(odq$(odq$,hq$,hq
                                          • API String ID: 0-1376594924
                                          • Opcode ID: 752a718df254965d31e2de88ce53ae6aa955552cc3eca901c9a5f867f08a6cb1
                                          • Instruction ID: e413e9df1e02cca3dec7f8a9ad908a6afbb0770e791db09b79359e92fd99f0bb
                                          • Opcode Fuzzy Hash: 752a718df254965d31e2de88ce53ae6aa955552cc3eca901c9a5f867f08a6cb1
                                          • Instruction Fuzzy Hash: FD124CB4A002199FCB15CF69C984AEEBBF2BF49315F158559E809DB3A1DB30ED42CB50
                                          Function 07526F00 Relevance: 8.1, Strings: 6, Instructions: 557COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 440 7526f00-7526f2f 442 7526f35-7526f37 440->442 443 7527388-75273ad 440->443 444 7526f49 442->444 445 7526f39-7526f47 442->445 462 75273b4-752741c 443->462 446 7526f4b-7526f4d 444->446 445->446 448 7526f4f-7526f51 446->448 449 7526f6d-7526f86 446->449 450 7526f63 448->450 451 7526f53-7526f61 448->451 457 7526f9a-7526f9f 449->457 458 7526f88-7526f97 449->458 453 7526f65-7526f67 450->453 451->453 453->449 456 752736f-7527385 453->456 457->456 459 7526fa5-7526fab 457->459 458->457 460 7526fb9-7526fee 459->460 461 7526fad-7526faf 459->461 469 75270aa-75270ae 460->469 461->460 604 7527422 call 7527698 462->604 605 7527422 call 75276a8 462->605 470 75270b0 469->470 471 75270b8-75270be 469->471 602 75270b2 call 7526ef2 470->602 603 75270b2 call 7526f00 470->603 473 7526ff3-7526ff7 471->473 474 75270c4-75270da 471->474 477 7527001-7527007 473->477 478 7526ff9 473->478 475 75270dc-75270e7 474->475 476 75270ed-75270f2 474->476 475->476 480 75271d0-75271d4 476->480 481 7527016-752701c 477->481 482 7527009-752700e 477->482 478->477 484 75271d6 480->484 485 75271de-75271e7 480->485 481->462 483 7527022-752703d 481->483 482->481 497 752704b-7527054 483->497 498 752703f-7527041 483->498 484->485 487 75270f7-75270fb 485->487 488 75271ed-75271f1 485->488 490 7527105-752710e 487->490 491 75270fd 487->491 492 75271f3-752721a 488->492 493 752726b-752726f 488->493 499 7527110-7527115 490->499 500 752711d-7527126 490->500 491->490 492->493 526 752721c-7527220 492->526 495 7527342-752736c 493->495 496 7527275-7527289 493->496 512 752728b-752728d 496->512 513 752728f 496->513 503 7527056-752705a 497->503 504 75270a9 497->504 498->497 499->500 500->462 502 752712c-7527147 500->502 519 7527155-752718d 502->519 520 7527149-752714b 502->520 508 7527083-752709c 503->508 509 752705c-7527060 503->509 504->469 525 75270a2 508->525 515 7527062-752706d 509->515 516 7527073-7527081 509->516 511 7527428-7527690 518 7527292-75272b9 512->518 513->518 515->516 516->525 542 75272f4-7527318 518->542 543 75272bb-75272c6 518->543 544 752718f-7527193 519->544 545 75271cd 519->545 520->519 525->504 530 7527222-752724a 526->530 531 752724c-7527265 526->531 530->493 531->493 560 7527322 542->560 561 752731a 542->561 552 75272c8-75272ce 543->552 553 75272de-75272f2 543->553 547 75271a5-75271be 544->547 548 7527195-75271a3 544->548 545->480 559 75271c4-75271cb 547->559 548->559 557 75272d2-75272d4 552->557 558 75272d0 552->558 553->542 553->543 557->553 558->553 559->488 560->495 561->560 602->471 603->471 604->511 605->511
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq$LRdq$PHdq$$dq$$dq$$dq
                                          • API String ID: 0-817501624
                                          • Opcode ID: 72029775ac25a704ba34a4527c021ad07506fb82d696107da17d184aa0849344
                                          • Instruction ID: 7687230888961bac26857459309c75f99d3b0beece8ffbf89bb50604510c2ac6
                                          • Opcode Fuzzy Hash: 72029775ac25a704ba34a4527c021ad07506fb82d696107da17d184aa0849344
                                          • Instruction Fuzzy Hash: F422A1B4710214CFCB04DF69E499AAD7BB2FF89300F508459E90A8B394DF35AD46CB55
                                          Function 07526EF2 Relevance: 5.2, Strings: 4, Instructions: 203COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1028 7526ef2-7526ef4 1029 7526ef6-7526f2f 1028->1029 1030 7526e9f-7526ebd 1028->1030 1034 7526f35-7526f37 1029->1034 1035 7527388-75273ad 1029->1035 1036 7526f49 1034->1036 1037 7526f39-7526f47 1034->1037 1054 75273b4-752741c 1035->1054 1038 7526f4b-7526f4d 1036->1038 1037->1038 1040 7526f4f-7526f51 1038->1040 1041 7526f6d-7526f86 1038->1041 1042 7526f63 1040->1042 1043 7526f53-7526f61 1040->1043 1049 7526f9a-7526f9f 1041->1049 1050 7526f88-7526f97 1041->1050 1045 7526f65-7526f67 1042->1045 1043->1045 1045->1041 1048 752736f-7527385 1045->1048 1049->1048 1051 7526fa5-7526fab 1049->1051 1050->1049 1052 7526fb9-7526fee 1051->1052 1053 7526fad-7526faf 1051->1053 1061 75270aa-75270ae 1052->1061 1053->1052 1194 7527422 call 7527698 1054->1194 1195 7527422 call 75276a8 1054->1195 1062 75270b0 1061->1062 1063 75270b8-75270be 1061->1063 1196 75270b2 call 7526ef2 1062->1196 1197 75270b2 call 7526f00 1062->1197 1065 7526ff3-7526ff7 1063->1065 1066 75270c4-75270da 1063->1066 1069 7527001-7527007 1065->1069 1070 7526ff9 1065->1070 1067 75270dc-75270e7 1066->1067 1068 75270ed-75270f2 1066->1068 1067->1068 1072 75271d0-75271d4 1068->1072 1073 7527016-752701c 1069->1073 1074 7527009-752700e 1069->1074 1070->1069 1076 75271d6 1072->1076 1077 75271de-75271e7 1072->1077 1073->1054 1075 7527022-752703d 1073->1075 1074->1073 1089 752704b-7527054 1075->1089 1090 752703f-7527041 1075->1090 1076->1077 1079 75270f7-75270fb 1077->1079 1080 75271ed-75271f1 1077->1080 1082 7527105-752710e 1079->1082 1083 75270fd 1079->1083 1084 75271f3-752721a 1080->1084 1085 752726b-752726f 1080->1085 1091 7527110-7527115 1082->1091 1092 752711d-7527126 1082->1092 1083->1082 1084->1085 1118 752721c-7527220 1084->1118 1087 7527342-752736c 1085->1087 1088 7527275-7527289 1085->1088 1104 752728b-752728d 1088->1104 1105 752728f 1088->1105 1095 7527056-752705a 1089->1095 1096 75270a9 1089->1096 1090->1089 1091->1092 1092->1054 1094 752712c-7527147 1092->1094 1111 7527155-752718d 1094->1111 1112 7527149-752714b 1094->1112 1100 7527083-752709c 1095->1100 1101 752705c-7527060 1095->1101 1096->1061 1117 75270a2 1100->1117 1107 7527062-752706d 1101->1107 1108 7527073-7527081 1101->1108 1103 7527428-7527690 1110 7527292-75272b9 1104->1110 1105->1110 1107->1108 1108->1117 1134 75272f4-7527318 1110->1134 1135 75272bb-75272c6 1110->1135 1136 752718f-7527193 1111->1136 1137 75271cd 1111->1137 1112->1111 1117->1096 1122 7527222-752724a 1118->1122 1123 752724c-7527265 1118->1123 1122->1085 1123->1085 1152 7527322 1134->1152 1153 752731a 1134->1153 1144 75272c8-75272ce 1135->1144 1145 75272de-75272f2 1135->1145 1139 75271a5-75271be 1136->1139 1140 7527195-75271a3 1136->1140 1137->1072 1151 75271c4-75271cb 1139->1151 1140->1151 1149 75272d2-75272d4 1144->1149 1150 75272d0 1144->1150 1145->1134 1145->1135 1149->1145 1150->1145 1151->1080 1152->1087 1153->1152 1194->1103 1195->1103 1196->1063 1197->1063
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRdq$PHdq$$dq$$dq
                                          • API String ID: 0-57653318
                                          • Opcode ID: 2859ffc9a274ce66873fda0299ba0cc8f8a529c728db37fcca5d8d7315b4ff12
                                          • Instruction ID: b40bee827a7eb6601b9730f0f94663eaf3b7833a81aea9b72c1744118210ab52
                                          • Opcode Fuzzy Hash: 2859ffc9a274ce66873fda0299ba0cc8f8a529c728db37fcca5d8d7315b4ff12
                                          • Instruction Fuzzy Hash: 647162B0A0021A8FDB24DF69C4946AE7BB2FF8E300F148869E905DB394DB35DD46DB51
                                          Function 0752DF58 Relevance: 4.1, Strings: 3, Instructions: 380COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1198 752df58-752df9c call 752acc8 1201 752dfb0-752dfb2 1198->1201 1202 752df9e-752dfae 1198->1202 1203 752dfb5-752dfc0 call 752acc8 1201->1203 1202->1203 1207 752dfc2-752dfd2 1203->1207 1208 752dfd4-752dfd6 1203->1208 1209 752dfd9-752dfed 1207->1209 1208->1209 1211 752e1d2-752e1db 1209->1211 1212 752dff3 1209->1212 1214 752e1e1-752e210 1211->1214 1215 752e39e-752e3a4 1211->1215 1213 752dff6-752dffc 1212->1213 1218 752e402-752e407 1213->1218 1219 752e002-752e013 call 752d838 1213->1219 1232 752e216-752e218 1214->1232 1233 752e3c7-752e3fb 1214->1233 1216 752e3a6-752e3a8 1215->1216 1217 752e3aa-752e3b0 1215->1217 1220 752e3b8-752e3bf 1216->1220 1221 752e3b2-752e3b4 1217->1221 1222 752e3b6 1217->1222 1228 752e168-752e16e 1219->1228 1229 752e019 1219->1229 1221->1220 1222->1220 1230 752e170-752e176 1228->1230 1231 752e178-752e17e 1228->1231 1234 752e323-752e32c 1229->1234 1235 752e020-752e029 1229->1235 1236 752e2b7-752e2c0 1229->1236 1237 752e09a-752e0a3 1229->1237 1238 752e248-752e251 1229->1238 1239 752e11c-752e125 1229->1239 1230->1231 1241 752e188-752e18a 1230->1241 1243 752e180-752e186 1231->1243 1244 752e18f-752e195 1231->1244 1232->1233 1245 752e21e-752e224 1232->1245 1233->1218 1234->1218 1246 752e332-752e347 1234->1246 1235->1218 1248 752e02f-752e03c 1235->1248 1236->1218 1240 752e2c6-752e2d3 1236->1240 1237->1218 1242 752e0a9-752e0be 1237->1242 1238->1218 1247 752e257-752e264 1238->1247 1239->1218 1249 752e12b-752e143 1239->1249 1240->1218 1250 752e2d9-752e2e9 1240->1250 1241->1220 1242->1218 1271 752e0c4-752e0d8 1242->1271 1243->1241 1243->1244 1252 752e1a6-752e1ac 1244->1252 1253 752e197-752e19d 1244->1253 1245->1218 1251 752e22a-752e23b call 752d838 1245->1251 1246->1218 1254 752e34d-752e364 call 752ad10 1246->1254 1247->1218 1255 752e26a-752e27a 1247->1255 1248->1218 1257 752e042-752e059 1248->1257 1249->1218 1258 752e149-752e163 call 752ad10 1249->1258 1250->1218 1259 752e2ef-752e300 1250->1259 1274 752e369-752e36f 1251->1274 1280 752e241 1251->1280 1264 752e1ae-752e1b4 1252->1264 1265 752e1bd-752e1c0 1252->1265 1262 752e3c2 1253->1262 1263 752e1a3 1253->1263 1254->1274 1255->1218 1267 752e280-752e291 1255->1267 1257->1218 1268 752e05f-752e071 1257->1268 1258->1228 1259->1218 1270 752e306-752e321 1259->1270 1262->1233 1263->1252 1264->1262 1273 752e1ba 1264->1273 1265->1262 1275 752e1c6-752e1cc 1265->1275 1267->1218 1276 752e297-752e2b2 1267->1276 1268->1218 1278 752e077-752e095 1268->1278 1270->1274 1271->1218 1279 752e0de-752e0f3 1271->1279 1273->1265 1281 752e371-752e377 1274->1281 1282 752e379-752e37f 1274->1282 1275->1211 1275->1213 1276->1274 1278->1228 1279->1218 1293 752e0f9-752e11a 1279->1293 1280->1234 1280->1236 1280->1238 1281->1282 1284 752e389-752e38b 1281->1284 1285 752e381-752e387 1282->1285 1286 752e38d-752e390 1282->1286 1284->1220 1285->1284 1285->1286 1286->1262 1290 752e392-752e398 1286->1290 1290->1214 1290->1215 1293->1228
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (odq$(odq$(odq
                                          • API String ID: 0-4025557139
                                          • Opcode ID: e00c6981e177288e7a1d911b214741d91e8638f62ed0d51aa71ccabec775e190
                                          • Instruction ID: 045b3239ff6081873ea367d654be9936466fa447d4dc0df99424063e69f13978
                                          • Opcode Fuzzy Hash: e00c6981e177288e7a1d911b214741d91e8638f62ed0d51aa71ccabec775e190
                                          • Instruction Fuzzy Hash: 6DF14AB0A0022A9FCB15CF64C889DEEBBF6BF89300B15C565E9159B2D1C734F942DB94
                                          Function 07528F70 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2769 7528f70-7528f92 2770 7528f94-7528f98 2769->2770 2771 7528fa8-7528fb3 2769->2771 2774 7528fc0-7528fc7 2770->2774 2775 7528f9a-7528fa6 2770->2775 2772 752905b-7529087 2771->2772 2773 7528fb9-7528fbb 2771->2773 2782 752908e-75290e6 2772->2782 2776 7529053-7529058 2773->2776 2777 7528fe7-7528ffa call 7528f70 2774->2777 2778 7528fc9-7528fd0 2774->2778 2775->2771 2775->2774 2784 7529002-752900a 2777->2784 2785 7528ffc-7529000 2777->2785 2778->2777 2779 7528fd2-7528fdd 2778->2779 2781 7528fe3-7528fe5 2779->2781 2779->2782 2781->2776 2801 75290f5-7529107 2782->2801 2802 75290e8-75290ee 2782->2802 2789 7529019-752901b 2784->2789 2790 752900c-7529011 2784->2790 2785->2784 2788 752901d-752903c call 75299e0 2785->2788 2794 7529051 2788->2794 2795 752903e-7529047 2788->2795 2789->2776 2790->2789 2794->2776 2798 752904f 2795->2798 2798->2776 2804 752919b-752919f call 7529338 2801->2804 2805 752910d-7529111 2801->2805 2802->2801 2808 75291a5-75291ab 2804->2808 2806 7529113-752911f 2805->2806 2807 7529121-752912e 2805->2807 2815 7529130-752913a 2806->2815 2807->2815 2811 75291b7-75291be 2808->2811 2812 75291ad-75291b3 2808->2812 2813 75291b5 2812->2813 2814 7529219-7529240 2812->2814 2813->2811 2833 7529245-7529278 2814->2833 2818 7529167-752916b 2815->2818 2819 752913c-752914b 2815->2819 2820 7529177-752917b 2818->2820 2821 752916d-7529173 2818->2821 2830 752915b-7529165 2819->2830 2831 752914d-7529154 2819->2831 2820->2811 2825 752917d-7529181 2820->2825 2823 75291c1-7529212 2821->2823 2824 7529175 2821->2824 2823->2814 2824->2811 2827 7529187-7529199 2825->2827 2828 752927f-7529291 2825->2828 2827->2811 2828->2833 2838 7529293-75292a3 2828->2838 2830->2818 2831->2830 2833->2828 2840 75292a5-75292a7 2838->2840 2841 75292a9-75292ab 2838->2841 2844 7529321-7529324 2840->2844 2845 75292bc-75292be 2841->2845 2846 75292ad-75292b1 2841->2846 2850 75292c0-75292c4 2845->2850 2851 75292d1-75292d7 2845->2851 2848 75292b3-75292b5 2846->2848 2849 75292b7-75292ba 2846->2849 2848->2844 2849->2844 2852 75292c6-75292c8 2850->2852 2853 75292ca-75292cf 2850->2853 2854 7529302-7529304 2851->2854 2855 75292d9-7529300 2851->2855 2852->2844 2853->2844 2861 752930b-752930d 2854->2861 2855->2861 2862 7529313-7529315 2861->2862 2863 752930f-7529311 2861->2863 2864 7529317-752931c 2862->2864 2865 752931e 2862->2865 2863->2844 2864->2844 2865->2844
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq$Hhq
                                          • API String ID: 0-2450388649
                                          • Opcode ID: dc46da28edbe05c534899a3919b0b2a2bdb18c3e038315424e399de711302475
                                          • Instruction ID: 95e216089847bcfed41d2d24064c4e7421294f25df387e88e8ba1872b86f962d
                                          • Opcode Fuzzy Hash: dc46da28edbe05c534899a3919b0b2a2bdb18c3e038315424e399de711302475
                                          • Instruction Fuzzy Hash: 7DB1D4B57042258FCB159F69C854BAE7BA6BF8A300F14446AE906DB3D0CB74DC82D791
                                          Function 0752BCD0 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2875 752bcd0-752bcdd 2876 752bce9-752bcf5 2875->2876 2877 752bcdf-752bce4 2875->2877 2880 752bcf7-752bcf9 2876->2880 2881 752bd05-752bd0a 2876->2881 2878 752c07e-752c083 2877->2878 2882 752bd01-752bd03 2880->2882 2881->2878 2882->2881 2883 752bd0f-752bd1b 2882->2883 2885 752bd2b-752bd30 2883->2885 2886 752bd1d-752bd29 2883->2886 2885->2878 2886->2885 2888 752bd35-752bd40 2886->2888 2890 752bd46-752bd51 2888->2890 2891 752bdea-752bdf5 2888->2891 2896 752bd53-752bd65 2890->2896 2897 752bd67 2890->2897 2894 752bdfb-752be0a 2891->2894 2895 752be98-752bea4 2891->2895 2906 752be1b-752be2a 2894->2906 2907 752be0c-752be16 2894->2907 2904 752bea6-752beb2 2895->2904 2905 752beb4-752bec6 2895->2905 2898 752bd6c-752bd6e 2896->2898 2897->2898 2902 752bd70-752bd7f 2898->2902 2903 752bd8e-752bd93 2898->2903 2902->2903 2909 752bd81-752bd8c 2902->2909 2903->2878 2904->2905 2914 752bef4-752beff 2904->2914 2922 752beea-752beef 2905->2922 2923 752bec8-752bed4 2905->2923 2915 752be4e-752be57 2906->2915 2916 752be2c-752be38 2906->2916 2907->2878 2909->2903 2920 752bd98-752bda1 2909->2920 2927 752bfe1-752bfec 2914->2927 2928 752bf05-752bf0e 2914->2928 2929 752be59-752be6b 2915->2929 2930 752be6d 2915->2930 2925 752be44-752be49 2916->2925 2926 752be3a-752be3f 2916->2926 2935 752bda3-752bda8 2920->2935 2936 752bdad-752bdbc 2920->2936 2922->2878 2940 752bee0-752bee5 2923->2940 2941 752bed6-752bedb 2923->2941 2925->2878 2926->2878 2944 752c016-752c025 2927->2944 2945 752bfee-752bff8 2927->2945 2942 752bf10-752bf22 2928->2942 2943 752bf24 2928->2943 2932 752be72-752be74 2929->2932 2930->2932 2932->2895 2938 752be76-752be82 2932->2938 2935->2878 2953 752bde0-752bde5 2936->2953 2954 752bdbe-752bdca 2936->2954 2955 752be84-752be89 2938->2955 2956 752be8e-752be93 2938->2956 2940->2878 2941->2878 2946 752bf29-752bf2b 2942->2946 2943->2946 2960 752c027-752c036 2944->2960 2961 752c079 2944->2961 2958 752bffa-752c006 2945->2958 2959 752c00f-752c014 2945->2959 2951 752bf3b 2946->2951 2952 752bf2d-752bf39 2946->2952 2962 752bf40-752bf42 2951->2962 2952->2962 2953->2878 2969 752bdd6-752bddb 2954->2969 2970 752bdcc-752bdd1 2954->2970 2955->2878 2956->2878 2958->2959 2972 752c008-752c00d 2958->2972 2959->2878 2960->2961 2973 752c038-752c050 2960->2973 2961->2878 2963 752bf44-752bf49 2962->2963 2964 752bf4e-752bf61 2962->2964 2963->2878 2974 752bf63 2964->2974 2975 752bf99-752bfa3 2964->2975 2969->2878 2970->2878 2972->2878 2985 752c072-752c077 2973->2985 2986 752c052-752c070 2973->2986 2976 752bf66-752bf77 call 752bb30 2974->2976 2981 752bfc2-752bfce 2975->2981 2982 752bfa5-752bfb1 call 752bb30 2975->2982 2987 752bf79-752bf7c 2976->2987 2988 752bf7e-752bf83 2976->2988 2995 752bfd0-752bfd5 2981->2995 2996 752bfd7 2981->2996 2992 752bfb3-752bfb6 2982->2992 2993 752bfb8-752bfbd 2982->2993 2985->2878 2986->2878 2987->2988 2991 752bf88-752bf8b 2987->2991 2988->2878 2997 752bf91-752bf97 2991->2997 2998 752c084-752c09f 2991->2998 2992->2981 2992->2993 2993->2878 2999 752bfdc 2995->2999 2996->2999 2997->2975 2997->2976 2999->2878
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq
                                          • API String ID: 0-2306408947
                                          • Opcode ID: 025b53cb298b42681b6856d4232ae10020e7111aeb68d22ee3e20dfbf16e459d
                                          • Instruction ID: 2edf30f4000fb63b802733b0328137c723a2fa680f6bd19d34839a48cb18b7ef
                                          • Opcode Fuzzy Hash: 025b53cb298b42681b6856d4232ae10020e7111aeb68d22ee3e20dfbf16e459d
                                          • Instruction Fuzzy Hash: 19B16DF03105228FDB299B29C4597BD37AABF87640F14046AE512CF3F6EA69CC43A751
                                          Function 075294D0 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3003 75294d0-75294dd 3004 75294e5-75294e7 3003->3004 3005 75294df-75294e3 3003->3005 3007 75296f8-75296ff 3004->3007 3005->3004 3006 75294ec-75294f7 3005->3006 3008 7529700 3006->3008 3009 75294fd-7529504 3006->3009 3012 7529705-752973d 3008->3012 3010 752950a-7529519 3009->3010 3011 7529699-752969f 3009->3011 3010->3012 3013 752951f-752952e 3010->3013 3014 75296a1-75296a3 3011->3014 3015 75296a5-75296a9 3011->3015 3027 7529746-752974a 3012->3027 3028 752973f-7529744 3012->3028 3023 7529543-7529546 3013->3023 3024 7529530-7529533 3013->3024 3014->3007 3016 75296f6 3015->3016 3017 75296ab-75296b1 3015->3017 3016->3007 3017->3008 3018 75296b3-75296b6 3017->3018 3018->3008 3021 75296b8-75296cd 3018->3021 3041 75296f1-75296f4 3021->3041 3042 75296cf-75296d5 3021->3042 3025 7529552-7529558 3023->3025 3026 7529548-752954b 3023->3026 3024->3025 3029 7529535-7529538 3024->3029 3035 7529570-752958d 3025->3035 3036 752955a-7529560 3025->3036 3033 752959e-75295a4 3026->3033 3034 752954d 3026->3034 3037 7529750-7529752 3027->3037 3028->3037 3030 7529639-752963f 3029->3030 3031 752953e 3029->3031 3045 7529641-7529647 3030->3045 3046 7529657-7529661 3030->3046 3038 7529664-7529671 3031->3038 3039 75295a6-75295ac 3033->3039 3040 75295bc-75295ce 3033->3040 3034->3038 3072 7529596-7529599 3035->3072 3043 7529562 3036->3043 3044 7529564-752956e 3036->3044 3047 7529767-752976e 3037->3047 3048 7529754-7529766 3037->3048 3063 7529673-7529677 3038->3063 3064 7529685-7529687 3038->3064 3049 75295b0-75295ba 3039->3049 3050 75295ae 3039->3050 3066 75295d0-75295dc 3040->3066 3067 75295de-7529601 3040->3067 3041->3007 3051 75296e7-75296ea 3042->3051 3052 75296d7-75296e5 3042->3052 3043->3035 3044->3035 3053 752964b-7529655 3045->3053 3054 7529649 3045->3054 3046->3038 3049->3040 3050->3040 3051->3008 3058 75296ec-75296ef 3051->3058 3052->3008 3052->3051 3053->3046 3054->3046 3058->3041 3058->3042 3063->3064 3070 7529679-752967d 3063->3070 3071 752968b-752968e 3064->3071 3077 7529629-7529637 3066->3077 3067->3008 3079 7529607-752960a 3067->3079 3070->3008 3073 7529683 3070->3073 3071->3008 3074 7529690-7529693 3071->3074 3072->3038 3073->3071 3074->3010 3074->3011 3077->3038 3079->3008 3081 7529610-7529622 3079->3081 3081->3077
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,hq$,hq
                                          • API String ID: 0-3475114797
                                          • Opcode ID: 1908014357f41052c3747ad25f1648a3b0311742702cb9fa5bcfd6b412389fc0
                                          • Instruction ID: fe58b1f26f591ffa958fb83e8bf218a626f7258c0e5d3b759855e91bbfc65be9
                                          • Opcode Fuzzy Hash: 1908014357f41052c3747ad25f1648a3b0311742702cb9fa5bcfd6b412389fc0
                                          • Instruction Fuzzy Hash: 868161F4B101268FCB14DF69C484AAAB7F2BF8A310F158169D416E73A4D731F842DB91
                                          Function 0752C7CD Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3083 752c7cd-752c7cf 3084 752c7d1 3083->3084 3085 752c7d5 3083->3085 3086 752c7d3 3084->3086 3087 752c847-752c890 3084->3087 3088 752c7d6-752c7df 3085->3088 3089 752c764-752c766 3085->3089 3086->3085 3103 752c892-752c897 3087->3103 3104 752c89c-752c8bc 3087->3104 3090 752c7e1-752c7eb 3088->3090 3091 752c818-752c822 3088->3091 3092 752c76e-752c78f 3089->3092 3090->3091 3095 752c7ed-752c816 3090->3095 3096 752c842 3091->3096 3097 752c824-752c827 3091->3097 3100 752c838-752c83f 3095->3100 3096->3087 3098 752c7cb 3097->3098 3099 752c829-752c836 3097->3099 3098->3083 3099->3100 3105 752c965-752c96c 3103->3105 3108 752c8f7-752c8f9 3104->3108 3109 752c8be-752c8c0 3104->3109 3110 752c960 3108->3110 3111 752c8fb-752c901 3108->3111 3112 752c8c2-752c8c7 3109->3112 3113 752c8cf-752c8d6 3109->3113 3110->3105 3111->3110 3116 752c903-752c91e 3111->3116 3112->3113 3114 752c96f-752c99b call 752c258 3113->3114 3115 752c8dc-752c8f5 3113->3115 3127 752c9a9-752c9b2 call 752c258 3114->3127 3128 752c99d-752c9a7 3114->3128 3115->3105 3121 752c920-752c922 3116->3121 3122 752c955-752c957 3116->3122 3125 752c931-752c938 3121->3125 3126 752c924-752c929 3121->3126 3122->3110 3123 752c959-752c95e 3122->3123 3123->3105 3125->3114 3129 752c93a-752c953 3125->3129 3126->3125 3134 752c9c0-752c9fd 3127->3134 3135 752c9b4-752c9be 3127->3135 3128->3127 3129->3105 3135->3134
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq
                                          • API String ID: 0-2306408947
                                          • Opcode ID: ec00101b955955de773d188b8e59871e795fa03ff1fcb6e3d8371680daad41d7
                                          • Instruction ID: 842780a3df5d44f39572f8666588afd8c38cbc3e28464c0d1d5f2d5dbb6b68d1
                                          • Opcode Fuzzy Hash: ec00101b955955de773d188b8e59871e795fa03ff1fcb6e3d8371680daad41d7
                                          • Instruction Fuzzy Hash: EC71C7717002159FD711DB58C8807AEBBA6FF8A350F24C466E944CB296D731ED02D7A1
                                          Function 059344E8 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq$Hhq
                                          • API String ID: 0-2450388649
                                          • Opcode ID: a22198f679bbbfae3dfaa8c83cdac4554aef9c0631053b2d658e2bee5a6e018e
                                          • Instruction ID: fc364a38d45d11318fbeb7026908ba7bc1ae763405bf7c41e58a6f8216cbf102
                                          • Opcode Fuzzy Hash: a22198f679bbbfae3dfaa8c83cdac4554aef9c0631053b2d658e2bee5a6e018e
                                          • Instruction Fuzzy Hash: 19813974E003199FCB04DFA9C8956AEBBF6FF89300F54852AE409AB350DB749945CB91
                                          Function 05934468 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq$Hhq
                                          • API String ID: 0-2633903351
                                          • Opcode ID: 128d514f430960e1c73f05f747b0ee9af6c3d7061ceed2c38d44a2b126263546
                                          • Instruction ID: c12e6565c326fd720f8c948d2d4f2ca0b643f55161f72b755296e1052d039960
                                          • Opcode Fuzzy Hash: 128d514f430960e1c73f05f747b0ee9af6c3d7061ceed2c38d44a2b126263546
                                          • Instruction Fuzzy Hash: 3F619274B00219CFCB14DFA9C4596AF7BF6EBC8310F158869E90AE7380DB3499458BA5
                                          Function 0593FA9D Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq$Hhq
                                          • API String ID: 0-2450388649
                                          • Opcode ID: 86210a1be97bc0d49bb8e4c3b37a020c19653660376c3e1c1803c91a3b8e1b51
                                          • Instruction ID: 8a01561e07e483269512a3d18cfe00d934ad985fa315dd365068228c80579af0
                                          • Opcode Fuzzy Hash: 86210a1be97bc0d49bb8e4c3b37a020c19653660376c3e1c1803c91a3b8e1b51
                                          • Instruction Fuzzy Hash: 3671BF35A00215CFCB15DF68C455AAEBBB6FF89300F1484AAD905DB361DB39ED06CB91
                                          Function 07524288 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq$Hhq
                                          • API String ID: 0-2450388649
                                          • Opcode ID: 5f680c3045e89c1bacc1114fb5eff2b8329b667c47c8184416f23c3c109df572
                                          • Instruction ID: c77bffe3d899c258b9d919105a306ac303a1d6e047bb3db5e5767480a13e7951
                                          • Opcode Fuzzy Hash: 5f680c3045e89c1bacc1114fb5eff2b8329b667c47c8184416f23c3c109df572
                                          • Instruction Fuzzy Hash: 0B712A78A001698FCB14EFA8C5949ED77F2FF8D314B2444A9D805AB391CB35ED82CB61
                                          Function 0752463A Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq$Hhq
                                          • API String ID: 0-2450388649
                                          • Opcode ID: 63220569d6baecb58946611c63bd3ad566935b43cd8860cc03a4f5084081b025
                                          • Instruction ID: 10b7874d8326c32b7306149520a8b4583727afc39bdafc6ce4293de7ef0943d8
                                          • Opcode Fuzzy Hash: 63220569d6baecb58946611c63bd3ad566935b43cd8860cc03a4f5084081b025
                                          • Instruction Fuzzy Hash: 055190B57002618FC714DF78C4989AE7BF6BF8A60071549AAE906CB3A1DF35EC068B51
                                          Function 05930006 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: 5f7468b296449ec83d007e175a932fe62d9b1efe01edcfff389226e985ed479c
                                          • Instruction ID: 3062312bb31e44186ff1e808cf1d36ea27d1328a0c7958ca741739796846a3a2
                                          • Opcode Fuzzy Hash: 5f7468b296449ec83d007e175a932fe62d9b1efe01edcfff389226e985ed479c
                                          • Instruction Fuzzy Hash: 90710331900701CFDB05EF29D88564477B1FF9A300B4586A9D949AF32AEB35F888CBA0
                                          Function 05930040 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-227171996
                                          • Opcode ID: 17c9f136102475fdab5e7db74f280f9782da92623e60e297f04dce4186ba1447
                                          • Instruction ID: ca310c18eb53f5ba814da382bda05fd50cef889165da9302f903c3c719ba53d3
                                          • Opcode Fuzzy Hash: 17c9f136102475fdab5e7db74f280f9782da92623e60e297f04dce4186ba1447
                                          • Instruction Fuzzy Hash: 0F61AF35A10705CFEB04EF2AD485544B7B2FF99304B4086A8D949AF21AEB71F9C8CF90
                                          Function 0752FB38 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tedq$Tedq
                                          • API String ID: 0-4137347946
                                          • Opcode ID: 85231f872e012071966031d850f0cc6b19aebc2028ccb6c2a36e22064b6a657d
                                          • Instruction ID: ec355b057a657187f18dffb76e7058b3ffb20e4cddbad3cc86eb98e2f057f785
                                          • Opcode Fuzzy Hash: 85231f872e012071966031d850f0cc6b19aebc2028ccb6c2a36e22064b6a657d
                                          • Instruction Fuzzy Hash: D45197B4E002199FDB08DFA9D894AAEFBF2FF88304F108129D915AB364DB755945CF50
                                          Function 0752FB2B Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Tedq$Tedq
                                          • API String ID: 0-4137347946
                                          • Opcode ID: ff5565a5c500d8d24344bbb46597a0e04f6e1cf9b4c62034fb888ffd41871195
                                          • Instruction ID: 2acf04bf26919f86bbfb10603b974211d469194d2e4d792bae68b443319e8e3c
                                          • Opcode Fuzzy Hash: ff5565a5c500d8d24344bbb46597a0e04f6e1cf9b4c62034fb888ffd41871195
                                          • Instruction Fuzzy Hash: 4F51C9B4E002199FDB08DFE9D854ADEFBB2FF88300F10812AD915AB364DB755946CB51
                                          Function 0593DE88 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq
                                          • API String ID: 0-2306408947
                                          • Opcode ID: ad2ad5d9e02b8065f1465050218cd5fbcf6600faecaf201e7c0ad473d5209e2a
                                          • Instruction ID: 05ae75166f40abb14acbe706ec4a5d15288632491d5104e284a548746e8a30ad
                                          • Opcode Fuzzy Hash: ad2ad5d9e02b8065f1465050218cd5fbcf6600faecaf201e7c0ad473d5209e2a
                                          • Instruction Fuzzy Hash: C341B471E1071A9BCB04EFB9E8446DDB3B2FF99300F614A15E508BB240EB707985CB80
                                          Function 0593DE98 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq
                                          • API String ID: 0-2306408947
                                          • Opcode ID: 21d23435149383ff0814cb1c2586203e7e73f35e7312081bae5867ef93b0e93b
                                          • Instruction ID: bb2012c9ff5ef4d28e9610d084581c3faba96df38f0e0c09d5bff4e5750103e4
                                          • Opcode Fuzzy Hash: 21d23435149383ff0814cb1c2586203e7e73f35e7312081bae5867ef93b0e93b
                                          • Instruction Fuzzy Hash: 2D415131E1071A9BCB04EFB9E8446DDB3B2FF99304F614A25E508BB250EB707985CB90
                                          Function 0752BB30 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $dq$$dq
                                          • API String ID: 0-2340669324
                                          • Opcode ID: 230b7ee1f9e196c93e813936f906fdbef0c35b5f782ca7cb064104979be7f733
                                          • Instruction ID: e3cc9a4c5177e3b6dc822065965eb2c9f503ba581c805594c40d977facd6f6e5
                                          • Opcode Fuzzy Hash: 230b7ee1f9e196c93e813936f906fdbef0c35b5f782ca7cb064104979be7f733
                                          • Instruction Fuzzy Hash: 7A31B4F03042274FCB259B35D8556BE77A5FF86300B1948ABD052DB2E1EE68CC82D791
                                          Function 07A6E754 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A6E996
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 1b79f0639f13997c32897e6d23f422dfbc1c905b4d621910c246c749ad36d4c5
                                          • Instruction ID: 4db0434061081bc7e035859fe0d0501e0a0e58faa880f9427e9dab707074c2e4
                                          • Opcode Fuzzy Hash: 1b79f0639f13997c32897e6d23f422dfbc1c905b4d621910c246c749ad36d4c5
                                          • Instruction Fuzzy Hash: 68A17CB5D0425ADFDB20CF68C8447EEBBB2BF88311F1481A9E818A7240DB749985CF91
                                          Function 07A6E760 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A6E996
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 0de27dec03906a9dd6f5a3110bf39b55d38e7e8a8098746e5392276bc23e13ef
                                          • Instruction ID: 5b2f1b7298e58aaad20c28c2a96806001d8c294f2e56f2fc0ae43da3ee0b6699
                                          • Opcode Fuzzy Hash: 0de27dec03906a9dd6f5a3110bf39b55d38e7e8a8098746e5392276bc23e13ef
                                          • Instruction Fuzzy Hash: 7C917DB5D0425ACFDB20CF69C8457EDBBB2BF88311F1481A9E818A7280DB759985CF91
                                          Function 0314AD48 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0314AF9E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: e3b6bb1f33e5340afbe3edb90cd2efbf368f1d67d217adfb06d1d017d614d0da
                                          • Instruction ID: 55bedc4b7b1b6cef79a8c4a7eb3a6237fee57f50448ebeb0aa642078aca35c0c
                                          • Opcode Fuzzy Hash: e3b6bb1f33e5340afbe3edb90cd2efbf368f1d67d217adfb06d1d017d614d0da
                                          • Instruction Fuzzy Hash: 7C7144B0A00B058FD724DF6AD44475ABBF6FF88304F048A2DD49ADBA40DB35E955CB91
                                          Function 0314590C Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 031459C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: a71349656ed74ab7ad8a0bea20423de138434ae0a6d2bcb6a52b6058d0dec92f
                                          • Instruction ID: bdd31b17d5be75b1a5de1f2c44aa616a02e40ec3d1d2dec5c16d7a3ef5aa4cfa
                                          • Opcode Fuzzy Hash: a71349656ed74ab7ad8a0bea20423de138434ae0a6d2bcb6a52b6058d0dec92f
                                          • Instruction Fuzzy Hash: 5151F4B1C00719CFDB24CFA9C98479DBBF6BF49314F24806AD409AB251DB756949CF50
                                          Function 058E18E4 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E1A02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: d9145df290d920998c7cb1b23caaf7f907adad2de9dc9dab6758b1805586552f
                                          • Instruction ID: d2bf4a596e6cf2e257ec0bce39eef7487e72ca7be0f232fb9e2e2716720706ba
                                          • Opcode Fuzzy Hash: d9145df290d920998c7cb1b23caaf7f907adad2de9dc9dab6758b1805586552f
                                          • Instruction Fuzzy Hash: A251C0B1D10309DFDB14CFA9C984ADEBBB6FF48310F24822AE819AB250D7749945CF90
                                          Function 058E18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E1A02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: e55bc14fe638e0e135b5fb0fdb42f01a57998d77ee0293374a2ed39daedec074
                                          • Instruction ID: 8adbc1e8944ab9fb4e21a18285fc6dee10ca2eb5773059a4f0e8884c63dcad31
                                          • Opcode Fuzzy Hash: e55bc14fe638e0e135b5fb0fdb42f01a57998d77ee0293374a2ed39daedec074
                                          • Instruction Fuzzy Hash: A441B0B1D00349DFDB14CF99C984ADEBBB6FF89310F24812AE819AB210D7759945CF90
                                          Function 031444F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 031459C9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: c5913adccb9cb573469e810eb071517bb58c1b95860c66c3e103118ea97ef973
                                          • Instruction ID: 42e4d0614af1f426c85fc7a0f2e227b3908f992e5eb6a68067463a85ca85d9f9
                                          • Opcode Fuzzy Hash: c5913adccb9cb573469e810eb071517bb58c1b95860c66c3e103118ea97ef973
                                          • Instruction Fuzzy Hash: 644102B0C0071DCBDB24CFAAC884B8DBBF6BF49314F60806AD409AB251DB756945CF90
                                          Function 058E4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 058E4111
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 296765135599a1a006c2e2463e6ebbafeb5d02dce658f5287560b1f3da2416a6
                                          • Instruction ID: 8450024a028fbdc7bd17b673b458121cc315208344e12ccec7def3e95bcdb19b
                                          • Opcode Fuzzy Hash: 296765135599a1a006c2e2463e6ebbafeb5d02dce658f5287560b1f3da2416a6
                                          • Instruction Fuzzy Hash: 39412CB8900309CFCB14DF99C848A9ABBF6FF89314F25C459D919AB321D775A845CFA0
                                          Function 07A6E4D0 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A6E568
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 252267e4d050677122609dd94e6c1e45b00ed4c6d3cc4f1bdc8c5b3e73bfc3d6
                                          • Instruction ID: 420a77fab0df48fe35a2d63ddd24463ec10496623a3fb9092058a938bb45be4d
                                          • Opcode Fuzzy Hash: 252267e4d050677122609dd94e6c1e45b00ed4c6d3cc4f1bdc8c5b3e73bfc3d6
                                          • Instruction Fuzzy Hash: 8A2148B59003599FCB10CFA9C885BDEBBF5FF88310F10842AE558A7241D7789A45CBA0
                                          Function 07A6E4D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A6E568
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 2c352c681c6f598ae202bf2bfa302f40102df1365c68bbdca8062e6848258852
                                          • Instruction ID: 0a971f5ce3f3d7e83b814f81f93c0879ca23f3588105bac5c0878a548f324c9f
                                          • Opcode Fuzzy Hash: 2c352c681c6f598ae202bf2bfa302f40102df1365c68bbdca8062e6848258852
                                          • Instruction Fuzzy Hash: 8C2136B59003199FCF10DFAAC885BDEBBF5FF88310F10842AE919A7241D7789954CBA4
                                          Function 07A6E339 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A6E3BE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: f95c9786eb8f328b178f204d2cf44cd91e4998f72525c77d4324544897e00eca
                                          • Instruction ID: 8a4021c8c1dfd9de622462b95239af42dc78ed4ecc0e621935a1e6f6903fafd9
                                          • Opcode Fuzzy Hash: f95c9786eb8f328b178f204d2cf44cd91e4998f72525c77d4324544897e00eca
                                          • Instruction Fuzzy Hash: F22138B59003099FDB14DFAAC4857EEBBF4FF88324F14842AD419A7240DB78A945CFA5
                                          Function 07A6E5C1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A6E648
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 9c8b909ea17eb8bc895dde6548279a094b7525fef1f70c6e1b57911047cb587b
                                          • Instruction ID: 813c3aef9a2568aaaf51745742128357f2d44ca4ccc00d5a930e21757085184b
                                          • Opcode Fuzzy Hash: 9c8b909ea17eb8bc895dde6548279a094b7525fef1f70c6e1b57911047cb587b
                                          • Instruction Fuzzy Hash: EA214AB59003099FCB10DFAAC844ADEFBF5FF88320F10842AE558A7240D7349541DBA5
                                          Function 0314B730 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0314D5E6,?,?,?,?,?), ref: 0314D6A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: f01c03af16f49f6feec08b31b2409bb795a7efcc071256f007214f1085610111
                                          • Instruction ID: 07a511ad78904a8fac6e42bd653911833078c9a15f15a919dad8558c564342ea
                                          • Opcode Fuzzy Hash: f01c03af16f49f6feec08b31b2409bb795a7efcc071256f007214f1085610111
                                          • Instruction Fuzzy Hash: 9621E3B59002089FDB10DFAAD984ADEBBF5EB48320F14841AE918A7351D374A954CFA5
                                          Function 07A6E5C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A6E648
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 8b882040197ec891cbd2f5323861e6e29f6e170d4c3c908eb1511c8b8cb27ccc
                                          • Instruction ID: cc1c033a749d0abc1661e565323a1a7d03f4bad522b916c1259cb29e807e40bc
                                          • Opcode Fuzzy Hash: 8b882040197ec891cbd2f5323861e6e29f6e170d4c3c908eb1511c8b8cb27ccc
                                          • Instruction Fuzzy Hash: 782139B59003499FCB10DFAAC885ADEFBF5FF48320F50842AE519A7240D7349945DBA5
                                          Function 07A6E340 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A6E3BE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 61d315f5bc4fd00e6a85ad1222d5eb1e1ff5a104cda1a5998b1eef7ab31280a0
                                          • Instruction ID: 22293ce1f04f915f3c6dff75cd2edcebc7d607b2e9d9267393804bd8d21ed620
                                          • Opcode Fuzzy Hash: 61d315f5bc4fd00e6a85ad1222d5eb1e1ff5a104cda1a5998b1eef7ab31280a0
                                          • Instruction Fuzzy Hash: 702147B19003098FDB14DFAAC4857EEBBF4FF88324F14842AD419A7240DB78A945CFA5
                                          Function 0314D619 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0314D5E6,?,?,?,?,?), ref: 0314D6A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: badc17b67c5c0b39f14452d88f4173b51a547db877b42cf433e870e8a20f0694
                                          • Instruction ID: cb5092e1d3e4a9ddfe5d5e791751218755ba72285f5c9ec943cfd0fa6f9b27d5
                                          • Opcode Fuzzy Hash: badc17b67c5c0b39f14452d88f4173b51a547db877b42cf433e870e8a20f0694
                                          • Instruction Fuzzy Hash: C321E2B5D002199FDB10DFAAD984AEEBBF5FF48310F14841AE918A7350C378A944CFA4
                                          Function 07A6E410 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A6E486
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 9921948c043c5190bb6949daa33bdc5ab0345017716def306d350f5852950aa8
                                          • Instruction ID: d2bfa966d6a4f130ee2404d8717c44713a2e787c2ddde37f191b0643a96c9741
                                          • Opcode Fuzzy Hash: 9921948c043c5190bb6949daa33bdc5ab0345017716def306d350f5852950aa8
                                          • Instruction Fuzzy Hash: 011159B68002499FDB10DFA9C845AEFBFF5EF88320F148419E519A7250C7759941CFA0
                                          Function 07A6E418 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A6E486
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 5842ca4db6feaa03088dcd3d1fa5b441e3e528a34836b4f77efd141274b90ca4
                                          • Instruction ID: d9ebd255b82522e30ac6167514f88fd5cb1b0f9caebdf292ed5b529638319462
                                          • Opcode Fuzzy Hash: 5842ca4db6feaa03088dcd3d1fa5b441e3e528a34836b4f77efd141274b90ca4
                                          • Instruction Fuzzy Hash: D01129B59002499FCB10DFAAC845ADFBFF5EF88320F148419E519A7250C775A944CFA0
                                          Function 07A6E289 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 201cd858d16e7d07583d1589cce5a6b5427953c4b1b8cca5fc62164a9fe758dc
                                          • Instruction ID: 67d7a7be591a07dc2f52ebd5f68d9e1fde1ddb88805c1c9823a7d17489e52a89
                                          • Opcode Fuzzy Hash: 201cd858d16e7d07583d1589cce5a6b5427953c4b1b8cca5fc62164a9fe758dc
                                          • Instruction Fuzzy Hash: 261176B18003488BCB10DFAAC8496EEFFF5AB88320F24841AD019A7240CA35A945CBA1
                                          Function 07F01170 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07F011D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728526280.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7f00000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 65c83b0f29a4ce5d5dea11a12ab8a432baa2168648d1759b9db55dee700abb54
                                          • Instruction ID: bfe55f8024c854ef444b5f217833ac1884ab59f318fd2290baf86cbdebc88ae1
                                          • Opcode Fuzzy Hash: 65c83b0f29a4ce5d5dea11a12ab8a432baa2168648d1759b9db55dee700abb54
                                          • Instruction Fuzzy Hash: F51113B58003499FCB10DF9AD885BDEFFF8EB49320F10840AE918A7650C375A684CFA1
                                          Function 07A640B8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 07A64128
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: DebugOutputString
                                          • String ID:
                                          • API String ID: 1166629820-0
                                          • Opcode ID: df136891f4479c70b140b416c0c790e3c0d7de951d636f902c449990ad8d5fa4
                                          • Instruction ID: 3947a811d731b18ace42e9a2ac7846bb536396e9c235a8947fc79cc94cb91ba7
                                          • Opcode Fuzzy Hash: df136891f4479c70b140b416c0c790e3c0d7de951d636f902c449990ad8d5fa4
                                          • Instruction Fuzzy Hash: 3D1104B1C0065A9BCB14DF9AD944A9EFBF4FB48320F10811AD828A7340D774AA44CFA5
                                          Function 07A6E290 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b6e0700de968942550b22cb45009be19201ac3b4b612fa270f67c03daf8ade57
                                          • Instruction ID: 5bed1eae23cfd8529060faecef304d4545687123e8ce835b9a27432152cf9de5
                                          • Opcode Fuzzy Hash: b6e0700de968942550b22cb45009be19201ac3b4b612fa270f67c03daf8ade57
                                          • Instruction Fuzzy Hash: C91136B19003498FDB14DFAAC8497DEFBF5EF88324F248819D529A7240CB75A944CFA5
                                          Function 07A640B1 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 07A64128
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: DebugOutputString
                                          • String ID:
                                          • API String ID: 1166629820-0
                                          • Opcode ID: b063681017978410cb38717c8af14ae287a93d7709437217caf7a1da51d1beb6
                                          • Instruction ID: 8fd7e26b63ec7bd3e9c2afc6d303580721e7d00724c4d56bfab1eff93f802f92
                                          • Opcode Fuzzy Hash: b063681017978410cb38717c8af14ae287a93d7709437217caf7a1da51d1beb6
                                          • Instruction Fuzzy Hash: 1F11F3B5C0065A9BCB14CF9AD989A9EFBF4FB48310F10851AD828B7250D7346654CFA5
                                          Function 0314AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0314AF9E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 821628de1e263031eeadce11f01371df508f5a2d059a482eb5d9bcb4db010cc3
                                          • Instruction ID: db4b7ca7bc442ffcdffa1a037bd9ad25396ddc770c83ad76201e3be6ae50c600
                                          • Opcode Fuzzy Hash: 821628de1e263031eeadce11f01371df508f5a2d059a482eb5d9bcb4db010cc3
                                          • Instruction Fuzzy Hash: 1C11E0B5C003498FDB10DF9AD944ADEFBF5EF88324F15841AD819A7610C379A545CFA1
                                          Function 07F01178 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 07F011D5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728526280.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7f00000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 338cfa8949bcd9eec6ca0eb765505eb6c5c50b62093badcd1681f5a34548ccb1
                                          • Instruction ID: f8b157ab4704506a29f8bc2e26f75f91bf3a500b871de3f8835d9e71c04f639b
                                          • Opcode Fuzzy Hash: 338cfa8949bcd9eec6ca0eb765505eb6c5c50b62093badcd1681f5a34548ccb1
                                          • Instruction Fuzzy Hash: A311D3B58003499FDB10DF9AC885BDEBBF8EB48324F148419E518A7750C375A544CFA5
                                          Function 05935114 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq
                                          • API String ID: 0-4060669308
                                          • Opcode ID: 2a3e779a6a937a0941ca5edc502a4c837178590c136cee0197211ee4d452a5a1
                                          • Instruction ID: 37d847c65e713408f00dc8513c2e9501386c60b61cb3095d91e3b41867acdf97
                                          • Opcode Fuzzy Hash: 2a3e779a6a937a0941ca5edc502a4c837178590c136cee0197211ee4d452a5a1
                                          • Instruction Fuzzy Hash: 2F91D171A05208DFCB18DFA9D4496AEBFF6FF88310F15846AE445A7350DB34A805CBA1
                                          Function 0593AE10 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: b4f52b9fb2884ee90e374ceaf61d9c48301b6e6bddf1c1000d39460bee1b3d7f
                                          • Instruction ID: d5445c98e4a8fa985442b52181ee6160a91ce8595a4760ed1f7cb65b0a9c2651
                                          • Opcode Fuzzy Hash: b4f52b9fb2884ee90e374ceaf61d9c48301b6e6bddf1c1000d39460bee1b3d7f
                                          • Instruction Fuzzy Hash: 46D10A7590060ACFCF04DFA8D5849EDB7B2FF48314B258659D80667259EB70AA8ACFD0
                                          Function 0593AE00 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 8e1ec99f4e9c97904267967b7112cff990252e974ebd5ea7544ef19a3d9f0691
                                          • Instruction ID: e580b3f32b958c6e1e56aff628c2caf5cecb3a1e6072182c68994e179627561b
                                          • Opcode Fuzzy Hash: 8e1ec99f4e9c97904267967b7112cff990252e974ebd5ea7544ef19a3d9f0691
                                          • Instruction Fuzzy Hash: 5EA10C3590064ACFCF04DFA8D4848DDF7B1FF98314B218655D816AB259EB70A98ACFD0
                                          Function 07521258 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq
                                          • API String ID: 0-4060669308
                                          • Opcode ID: b93005a1a3043edcfb5d96b8a0bc8aec2ba39507a77d4d3a09f7d5dd8bf29839
                                          • Instruction ID: 607274c0682c7401a82be1d4a459270886b0b29070f98f7687f03b8c9cc42c9e
                                          • Opcode Fuzzy Hash: b93005a1a3043edcfb5d96b8a0bc8aec2ba39507a77d4d3a09f7d5dd8bf29839
                                          • Instruction Fuzzy Hash: 5D71D1B5A00219AFCF05DFA9D880ADEBBF6FB4C310F14852AF918A3250D731A951DF90
                                          Function 0593D3E8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq
                                          • API String ID: 0-4060669308
                                          • Opcode ID: c07e25673cf51e69eee032cc19a0b3bcee715b22d11463c0b4c2b4eabc4b47c5
                                          • Instruction ID: 49b68dfa5d74e548be24f2be6964f8de6b5799c188ee79726ed8022a1f3bfcbe
                                          • Opcode Fuzzy Hash: c07e25673cf51e69eee032cc19a0b3bcee715b22d11463c0b4c2b4eabc4b47c5
                                          • Instruction Fuzzy Hash: 6D4124357046608FCB09A779942922E36DBAFC975071445ACD906CB394DF24ED0287D6
                                          Function 059344C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq
                                          • API String ID: 0-4210879014
                                          • Opcode ID: d699e016d65e872a1821b1bc62512530164d5ccebdd016d12f42073a8f94b446
                                          • Instruction ID: 96176e20154dbce9d4984524e7b9b56a872918bfc55bfe2c6268a715b93b5e3d
                                          • Opcode Fuzzy Hash: d699e016d65e872a1821b1bc62512530164d5ccebdd016d12f42073a8f94b446
                                          • Instruction Fuzzy Hash: B5416DB4A00318DFCB14DFA9C445A9EBBF9FF88310F508829E50AE7350DB34A945CBA5
                                          Function 07521DF0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (hq
                                          • API String ID: 0-4060669308
                                          • Opcode ID: 1a12e12a86b5545571acfea1411639be19f6770c9eb016671a1fbfee5ff108fd
                                          • Instruction ID: 32a49fcac0bc5e0a87fe0779389c8c28582fda3b69477aaa786ef0e24254047d
                                          • Opcode Fuzzy Hash: 1a12e12a86b5545571acfea1411639be19f6770c9eb016671a1fbfee5ff108fd
                                          • Instruction Fuzzy Hash: BB41C330B00A158FCB01EB6DC815AAEBBF6EFCA200F14459AD409DB3A1DB74DD85CB91
                                          Function 05934828 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ~WJ
                                          • API String ID: 0-3269328725
                                          • Opcode ID: 5f90b7baaaa6e39414991a8c09ef2ce9d96cfe19628cdedc6cc1dc489316b0b3
                                          • Instruction ID: c9f2f62b472c573cc53b3820acf480a8a27e280b7f6b571b8ad620e78f2188ab
                                          • Opcode Fuzzy Hash: 5f90b7baaaa6e39414991a8c09ef2ce9d96cfe19628cdedc6cc1dc489316b0b3
                                          • Instruction Fuzzy Hash: 0A21F5317003058FCB15DF78C4594AABBF6EF88304B158869D90ADB351EB74E80ACBA1
                                          Function 059315B8 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hhq
                                          • API String ID: 0-4210879014
                                          • Opcode ID: e21ad22b82c8f652a7a20ccf897ff1f2799a8ca704e8d606ba6d9af0e4644e69
                                          • Instruction ID: 953f1f49a48540ae30e72a232920ea28af6f504c20687ed371975a4dc1d60e0c
                                          • Opcode Fuzzy Hash: e21ad22b82c8f652a7a20ccf897ff1f2799a8ca704e8d606ba6d9af0e4644e69
                                          • Instruction Fuzzy Hash: 1C21D434A00118DBDB04DFA8D5199AE7BFAFB88310F144469E806AB354CF74AD00DBA5
                                          Function 059364AB Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ~WJ
                                          • API String ID: 0-3269328725
                                          • Opcode ID: 72e416afde1df25b04d38e9a553e05cfc0d4c5a2054c149372ecdbfccc303c80
                                          • Instruction ID: e2be2655a2cfd1205ffc2ffc29aae4e64cea4f1e630ebf47752c91fae729b8d5
                                          • Opcode Fuzzy Hash: 72e416afde1df25b04d38e9a553e05cfc0d4c5a2054c149372ecdbfccc303c80
                                          • Instruction Fuzzy Hash: C001A272904308DFDB10EF99E449B9ABFF9FB98314F10806AE209D7210C775E599CBA1
                                          Function 0593EFC3 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq
                                          • API String ID: 0-1167855494
                                          • Opcode ID: a5789604db17a2add9c3713ecaede2a5507eb909d9fa93e50ac680c9353029ac
                                          • Instruction ID: 7ece224740431869d0f89e027d993774f3cd06b540c80d16bbd64d8e69f2e688
                                          • Opcode Fuzzy Hash: a5789604db17a2add9c3713ecaede2a5507eb909d9fa93e50ac680c9353029ac
                                          • Instruction Fuzzy Hash: CB018635304204CFC754DB7AE9596593BEAFFC9211B5541A5E90ACB361DE35EC408B90
                                          Function 0593EF33 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq
                                          • API String ID: 0-1167855494
                                          • Opcode ID: e0c0b11f02a913e9400a64677a9f9748ea52063c4338d68811aec1ca8d350013
                                          • Instruction ID: f153aba0b44c360b436e0103f226ac3ac6f215a94ef449483183dca14da18e98
                                          • Opcode Fuzzy Hash: e0c0b11f02a913e9400a64677a9f9748ea52063c4338d68811aec1ca8d350013
                                          • Instruction Fuzzy Hash: 6D014F70A00309DFCB44EFB8E55969D7FB1FB98301F500569E8059B354EE342A44CB55
                                          Function 0593EF40 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq
                                          • API String ID: 0-1167855494
                                          • Opcode ID: ff6fdb549eb08cde34aab829c711852981563170584223276213a6f5ab235e26
                                          • Instruction ID: b66cab8d5333e60f33c9ee96a8771d4e3a02f6c72aad1ed3140b1f822a81e343
                                          • Opcode Fuzzy Hash: ff6fdb549eb08cde34aab829c711852981563170584223276213a6f5ab235e26
                                          • Instruction Fuzzy Hash: 22F03C70A00209EFCB44EFB8E65959D7FB1FB98302B5005A9E8059B354EE342E84CB59
                                          Function 075216CA Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ~WJ
                                          • API String ID: 0-3269328725
                                          • Opcode ID: acbc0dd7e751a3ad18edfc3824f93195ec442a7ccd05fde00db65d4af9bbc19d
                                          • Instruction ID: d274738eb6bc90583c723ca374edf01f100dcfd27f7502d5f8be85f3cf983072
                                          • Opcode Fuzzy Hash: acbc0dd7e751a3ad18edfc3824f93195ec442a7ccd05fde00db65d4af9bbc19d
                                          • Instruction Fuzzy Hash: 0DF0E2B250839D8ED701DF94D801A9B7FF5BB55304F098892D000CB551E771A119D751
                                          Function 07526BAD Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ~
                                          • API String ID: 0-1707062198
                                          • Opcode ID: d79683af150a2e96afe971e785b16bd5a0d173e49bf02632a945fc0d6a2d5a73
                                          • Instruction ID: 61f168a2a295d4a1f1e83b4831f24f11e64da3a0db40b17479cd2e045dca3278
                                          • Opcode Fuzzy Hash: d79683af150a2e96afe971e785b16bd5a0d173e49bf02632a945fc0d6a2d5a73
                                          • Instruction Fuzzy Hash: 76D02237B0C36057D600AA54F40268EB3EAE7C1328F24506BC3444A5C1C7ABB8838354
                                          Function 07520040 Relevance: .8, Instructions: 770COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b92b57dfe9ca35e62a60b5afa40cba85508d9d07585ba06e9d71e699e096538a
                                          • Instruction ID: 261b465105ea824e1463942335a0991d88fd33842b60f531372d36d1a2fd4b93
                                          • Opcode Fuzzy Hash: b92b57dfe9ca35e62a60b5afa40cba85508d9d07585ba06e9d71e699e096538a
                                          • Instruction Fuzzy Hash: C362EFF0E02B124BD7B45B7485D93EEBA91BB42308F50495FD0AECB2C1DB7499829B46
                                          Function 0593B1B0 Relevance: .7, Instructions: 730COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1a8340595404b5ed1a167c6e04ea5c70577bcfc5c56f0e381c87646dacd8478
                                          • Instruction ID: d0d81a21f18347b1eed8ca3f5041fdd55982af8fc560b40bcfe45b10b4386710
                                          • Opcode Fuzzy Hash: d1a8340595404b5ed1a167c6e04ea5c70577bcfc5c56f0e381c87646dacd8478
                                          • Instruction Fuzzy Hash: 85722D31910609CFCB14EF68D8996EDBBB1FF59301F008299D54AA7265EF30AAC5CF91
                                          Function 05938158 Relevance: .6, Instructions: 551COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e7d7f056c155247f66d7e45df472914cdd202b7145554580700923b26967192
                                          • Instruction ID: 962f2296c6355e9aa84454f918ad46c3934ba752e5f2d228c8766aaf43ea4316
                                          • Opcode Fuzzy Hash: 3e7d7f056c155247f66d7e45df472914cdd202b7145554580700923b26967192
                                          • Instruction Fuzzy Hash: 9B42D831E11719CBCB14DFA8C8856EDB7B2FF89304F108699E459BB251EB70AA85CF40
                                          Function 0593CA80 Relevance: .5, Instructions: 500COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2919996d51cd5dade7a56984de8aebba50c63f69b71f77f10ab2654892d3e2da
                                          • Instruction ID: 975ff192877a3cae4550dbced56b69a5fa2fd87804c1f7ccbd4e1b2634e10462
                                          • Opcode Fuzzy Hash: 2919996d51cd5dade7a56984de8aebba50c63f69b71f77f10ab2654892d3e2da
                                          • Instruction Fuzzy Hash: 46221734A10615CFCB14DF69C899AADB7F2FF89301F1485A8E90AEB365DB30AD45CB50
                                          Function 07520006 Relevance: .5, Instructions: 477COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 379ed5f9d593b239957b0d219eb17c4e165cfb5b4733548b9540fa0660b54b5c
                                          • Instruction ID: 07fabcc9c2f8b1e39b504370cace30d3331f45946c2f45183a6b0525a369e606
                                          • Opcode Fuzzy Hash: 379ed5f9d593b239957b0d219eb17c4e165cfb5b4733548b9540fa0660b54b5c
                                          • Instruction Fuzzy Hash: E32249F0906B534BD7B05B7486D83DFF6A0BB06318F20495BC0FE8A2D5E7349586AB46
                                          Function 05938148 Relevance: .3, Instructions: 332COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 641e1e655c09447b2826d9393838be1af440ac941ae643b018cdbacb8b6bf758
                                          • Instruction ID: 8a388d3f289704123601c1dbcbce3cfa1bb92667bd3b18395e2c1180e54c7d76
                                          • Opcode Fuzzy Hash: 641e1e655c09447b2826d9393838be1af440ac941ae643b018cdbacb8b6bf758
                                          • Instruction Fuzzy Hash: DEE1EB31E11619CBCB14DF68C895AEDB7B2FF49300F148699E419BB251EB34AE85CF50
                                          Function 07524770 Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3402310f529080ed4aaf37ef45deb12bf3e043cdc6dc31c80f33b2a319ca5e6a
                                          • Instruction ID: 608c21824c9f29c07d88b13e84d74f55bb85fb695240b8c09b479a5dc6400869
                                          • Opcode Fuzzy Hash: 3402310f529080ed4aaf37ef45deb12bf3e043cdc6dc31c80f33b2a319ca5e6a
                                          • Instruction Fuzzy Hash: 6481D4797506118FCB14DB28D498DAD77F6FF8A605B2541A9E902CB3B1DB71EC02CB80
                                          Function 0752AD10 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eab4a9cf31bc640c83459e049c6b3d3b26734d917fbbeeda9a7e2e82949f2921
                                          • Instruction ID: b0bd9595690e747b725228424e042e57f146d84440b3525d0b33d9582d9cd7c9
                                          • Opcode Fuzzy Hash: eab4a9cf31bc640c83459e049c6b3d3b26734d917fbbeeda9a7e2e82949f2921
                                          • Instruction Fuzzy Hash: 73712BB4700226DFCB15DF28C484AAA77E5BF4A711F1584AAE805CB3B1DB74DC42DB90
                                          Function 0593AB40 Relevance: .2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5594ce6488cd7476e2fc93b5a05b4b575cb1d847710499a00de3f401b569a972
                                          • Instruction ID: 284ade1a0516c19a81722fe8391d1f0a564128e22eeecb53912c7191bc1aceb3
                                          • Opcode Fuzzy Hash: 5594ce6488cd7476e2fc93b5a05b4b575cb1d847710499a00de3f401b569a972
                                          • Instruction Fuzzy Hash: AD91F67190070ACFCB41EF68C884999FBF5FF49310B14879AE859AB255EB30E985CB90
                                          Function 07522168 Relevance: .2, Instructions: 192COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea81879a58e6d295218f87db04450bbf0f92f8af35369d3d68de55ccb77b219f
                                          • Instruction ID: c9cc644e4b231834316627292258c0252fcfd208ff4b4fc0f6b57eb7c68e6623
                                          • Opcode Fuzzy Hash: ea81879a58e6d295218f87db04450bbf0f92f8af35369d3d68de55ccb77b219f
                                          • Instruction Fuzzy Hash: 4191D935A00619CFCB10EF68C884A9DF7B1FF89310F15C699D9497B225EB30AA85CF91
                                          Function 0593AB30 Relevance: .2, Instructions: 177COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95aecb33d7b7c8f3c49a5e63da7d36d62f5924402e889fad6e2a98f081595389
                                          • Instruction ID: 4f1625161eb0655ad4f8c873421aa3cf74c6917651b037a1e505d69962d41cdc
                                          • Opcode Fuzzy Hash: 95aecb33d7b7c8f3c49a5e63da7d36d62f5924402e889fad6e2a98f081595389
                                          • Instruction Fuzzy Hash: 2C713C7191071ACFCB41DF68C880A99FBF5FF49320B14875AE859EB255EB30E985CB90
                                          Function 0593CA51 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17516996241a4fb453c2d31edc3702ce514eb5ea5ff9d5188d12f09044482196
                                          • Instruction ID: 982308b6695ea5388e66961b94bca6397b97ada0da2eda973df465e240292698
                                          • Opcode Fuzzy Hash: 17516996241a4fb453c2d31edc3702ce514eb5ea5ff9d5188d12f09044482196
                                          • Instruction Fuzzy Hash: 3F615A30610600CFCB14DF69C899B997BF6FF89311F0449B8E906AB3A1DB75AD48CB61
                                          Function 05939CD8 Relevance: .2, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4596d5979d328eaf029e4be1103064a33956f1a1c79cb3ffaac09d15c60870e3
                                          • Instruction ID: 04917dfaff47b59638d9a050edf4082b98a07f71b4a947df1b90698b144a45ca
                                          • Opcode Fuzzy Hash: 4596d5979d328eaf029e4be1103064a33956f1a1c79cb3ffaac09d15c60870e3
                                          • Instruction Fuzzy Hash: 2B719174A00206CFC714CF69D585A99FBF1FF49214B0986AAE90ADB312D774E885CB94
                                          Function 0752DD10 Relevance: .2, Instructions: 162COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 316a2704edf1191f49bcbddc871beba0869682f4e6a3a58c659e5f458d516308
                                          • Instruction ID: 92851c400a1f097190e909826f89f6c0243ecec3b64d455f441c9b14958b1bd5
                                          • Opcode Fuzzy Hash: 316a2704edf1191f49bcbddc871beba0869682f4e6a3a58c659e5f458d516308
                                          • Instruction Fuzzy Hash: 2D616FB1E0076A9FDF15CFA5C5406DDBBF2BF8A300F24861AE815AB291D770A942DF50
                                          Function 05934334 Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50e108c398680f309d1f5cafb8b47f6825f74dafad4c65c39d8a518804d6ddb0
                                          • Instruction ID: 978dcf4c51240bf4dab5fbec172d35d3d7c780ad73f0642e6fa0bccd56e1226d
                                          • Opcode Fuzzy Hash: 50e108c398680f309d1f5cafb8b47f6825f74dafad4c65c39d8a518804d6ddb0
                                          • Instruction Fuzzy Hash: B2514471E102599FCF14DFA9C849AAFBFF9EF84310F11842AE419E7250DB749905CBA1
                                          Function 0752DD00 Relevance: .1, Instructions: 146COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31cd16a772cab02a0be39b2f25627577e3f9b280fae76c6d8437b9c5555da566
                                          • Instruction ID: 2e9da7b091c0a43223a155716daaef45f001d640de5cfcb3a653908fce57b521
                                          • Opcode Fuzzy Hash: 31cd16a772cab02a0be39b2f25627577e3f9b280fae76c6d8437b9c5555da566
                                          • Instruction Fuzzy Hash: B7517FB1E0076A9FDF15CFA5C5406DEFBF2BF9A300F24421AE845AB281D770A942DB50
                                          Function 0752CEE3 Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bdc2efa57566bb199f32c2b72784058c25696afcefd69f05f7806e3da40d4811
                                          • Instruction ID: 5e40e04c77a7d99bc47f3ce54d5a036ba1125fd43ee24308a727a7cb149c20ec
                                          • Opcode Fuzzy Hash: bdc2efa57566bb199f32c2b72784058c25696afcefd69f05f7806e3da40d4811
                                          • Instruction Fuzzy Hash: 5F41B071B04269DFCF15CFA4C854ADEBFB2BF46310F048056E9019B2A2E375E856DBA1
                                          Function 05930B68 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e1db197a6dbfec7c20d1af4c205249ef92cacbc7fc8eee6ac09841055428b4a
                                          • Instruction ID: 3498d9682ddada25d375c81e07a72b41cfdc0832dd19d2d0e14d0d2a8dc6d35a
                                          • Opcode Fuzzy Hash: 7e1db197a6dbfec7c20d1af4c205249ef92cacbc7fc8eee6ac09841055428b4a
                                          • Instruction Fuzzy Hash: 33416C35B00229CFCB11DFA9E849AADBBF9FB8C314F148025E805EB350DB349945CBA5
                                          Function 0752A008 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 521dff37caf1290501493506799f9d016eec83f6d8f010e5655824d39c10e9a1
                                          • Instruction ID: 87e5024c521f2455936e216b2f58f86f103027db1ce4c5843d86556c502bd09e
                                          • Opcode Fuzzy Hash: 521dff37caf1290501493506799f9d016eec83f6d8f010e5655824d39c10e9a1
                                          • Instruction Fuzzy Hash: B2410370A00259DFCB11CF64C814BAA7BB2FB46314F04C46BE805DB291DB399D86DBA1
                                          Function 07524AD0 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a72ba6592354759719e61ece82946671cb9d485d3ef766cf8c3084a84eb827b
                                          • Instruction ID: ad2f46d2a67b1c7c2a53b55d4e3a28099e547a8ae153978069e4e21b009239c3
                                          • Opcode Fuzzy Hash: 5a72ba6592354759719e61ece82946671cb9d485d3ef766cf8c3084a84eb827b
                                          • Instruction Fuzzy Hash: 224162B5E00269CBDB15EFB9D4943ED7AB1FF8A214F14442AC801BB290CB354D86DBA5
                                          Function 05936A57 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 949f6a5a04c687b105ecb25e4d31523e658ae6684cecbb828b364f3f1ce811eb
                                          • Instruction ID: 22481295a49435b13f1f32599aa63b070f19d558773e2c29b0985d943f8a2649
                                          • Opcode Fuzzy Hash: 949f6a5a04c687b105ecb25e4d31523e658ae6684cecbb828b364f3f1ce811eb
                                          • Instruction Fuzzy Hash: E5412B75A0020ADFCB00DFA8D4849EEFBB5FF49310B148699E918AB311E730E985CF90
                                          Function 0752124A Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bbc3ccff801c81762aaaf11e88ec87ab93209904256757b2ddea72eef9e9461
                                          • Instruction ID: bf6ce6eb350e1ba01ca45ef4669b942f41be394ec8cfb5fbd59c5453f034e72c
                                          • Opcode Fuzzy Hash: 5bbc3ccff801c81762aaaf11e88ec87ab93209904256757b2ddea72eef9e9461
                                          • Instruction Fuzzy Hash: 7B41F3B2E00219AFCF01DFA9D880AEEBBF6FF48310F15856AE519A3250D7319955DB90
                                          Function 05938DE3 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f032624c902572d8b6ea1bb03e3f786e819a5be24623ad2b37cd6ca0a8e21932
                                          • Instruction ID: 3a608332051dddaf83ce498885294af079212b4311fca15292f80bcbbc5662b0
                                          • Opcode Fuzzy Hash: f032624c902572d8b6ea1bb03e3f786e819a5be24623ad2b37cd6ca0a8e21932
                                          • Instruction Fuzzy Hash: 20415F34A10709CFCB04EFB8C8849DDBBB6FF89305F018559E519AB365EB71AA45CB81
                                          Function 05938DF0 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e1fdf49d5fcb060642ded5054d23e915556aaebdcee77c33e0d8bfe192c9d96
                                          • Instruction ID: 5dd9c359ccfa7891e80e269ed6b902dd258b54e74229addcb5dae3f3b2e34aea
                                          • Opcode Fuzzy Hash: 3e1fdf49d5fcb060642ded5054d23e915556aaebdcee77c33e0d8bfe192c9d96
                                          • Instruction Fuzzy Hash: AE412E34A10709CFCB04EF78C4849DDBBB6FF89304F018559E519AB325EB71AA46CB81
                                          Function 07528008 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f9fc804bcd4a59f9391e8c68f018fc8c8f5f0e9b1683251bdf9d9e66b5355fd
                                          • Instruction ID: 1afecd5e7c0434cf1c17ca689532d34a4f9484c05e8feb4799dcc60b063d9869
                                          • Opcode Fuzzy Hash: 0f9fc804bcd4a59f9391e8c68f018fc8c8f5f0e9b1683251bdf9d9e66b5355fd
                                          • Instruction Fuzzy Hash: 5D31867170422A9FCB059FA8D454AAE3BA6FB89300F104415FD058B290CB39EDA2DFD1
                                          Function 05939CC8 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f74d31f61b67872f9057c3013aad407131d1f8c0e4e84f1eba2ade1acdfb953
                                          • Instruction ID: 1e309ca38a97f8aa81839b4b26660c40feb6d8353e1c2e0c527420fe7c093847
                                          • Opcode Fuzzy Hash: 0f74d31f61b67872f9057c3013aad407131d1f8c0e4e84f1eba2ade1acdfb953
                                          • Instruction Fuzzy Hash: 91413B74A00206CFC714CF28D585AA9FBF5FF49310B4586AAE80ADB351D770EC45CB90
                                          Function 05934940 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c510cd0bd0e2fb7007769b3cfed889944133aeb2315cda2156e23b1965438746
                                          • Instruction ID: b37adca066d37bfb91d2ef155477a5f038482fca580fd82fb3a77118266f7d28
                                          • Opcode Fuzzy Hash: c510cd0bd0e2fb7007769b3cfed889944133aeb2315cda2156e23b1965438746
                                          • Instruction Fuzzy Hash: 4D41EFB1D0030DCBDB24DFA9C988A9EBFB5BF48304F65802AD419AB210D7756A49CF90
                                          Function 05934328 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bde08584c318ccac113f5c31212c8b1630cf966e4e53061e7d152bf5f503687
                                          • Instruction ID: 2bd32977e6b56a587cedd932d06e9df4dd7eeb784d394076efa09ccd83af0c2b
                                          • Opcode Fuzzy Hash: 4bde08584c318ccac113f5c31212c8b1630cf966e4e53061e7d152bf5f503687
                                          • Instruction Fuzzy Hash: 9A41BFB0D00358DFDB14CFAAC889A9EFBB5FF89310F24812AE419AB254D7745845CF90
                                          Function 05934935 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 628a2518c523a4b7d6a0faefe046138f5127823803cf468b007ef79507278771
                                          • Instruction ID: bb4646cdda7f073d1ad3cff0e6a6720fb2b849e5cdbb110769641dd91241796d
                                          • Opcode Fuzzy Hash: 628a2518c523a4b7d6a0faefe046138f5127823803cf468b007ef79507278771
                                          • Instruction Fuzzy Hash: 0D41EEB1D00309CBDB24CFA9C989A9DBBB5BF48304F65802AD419BB210D7756A4ACF90
                                          Function 05938CE3 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eec26c21dc7b2fd94eaea9043971c28cbadbe6becca7726ce8da25dbe6978200
                                          • Instruction ID: 4061619e308186e26030c4ff7f72bf1f45194d9fe8d9a54807da9cd0017d15ba
                                          • Opcode Fuzzy Hash: eec26c21dc7b2fd94eaea9043971c28cbadbe6becca7726ce8da25dbe6978200
                                          • Instruction Fuzzy Hash: 8C317E35B01219DFCF04EB68E8488DDF7B6FF89210B048569E906AB310EB71AD46CBD1
                                          Function 059367F3 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6db7bd30e21376b8e3317fb331eee924724f9910281cfbc0c840be2180f4ca73
                                          • Instruction ID: d6460b634ed3a6dd8f9c83877d84347c5610926f8a75c1ea06373664bc1542c8
                                          • Opcode Fuzzy Hash: 6db7bd30e21376b8e3317fb331eee924724f9910281cfbc0c840be2180f4ca73
                                          • Instruction Fuzzy Hash: 343170369007098FCB00EFA8C884ADEFBB5FF85310F558569D545AB221EB34E949CB81
                                          Function 05936A68 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9f8c6949d0cf252058ff8a11f9afcf4e938000586e941ebbbf28bcfdb1012cb
                                          • Instruction ID: 347326e260dcf861e575c7788910ad9e1aca29b7048f37539ba2bf6f40de3d83
                                          • Opcode Fuzzy Hash: b9f8c6949d0cf252058ff8a11f9afcf4e938000586e941ebbbf28bcfdb1012cb
                                          • Instruction Fuzzy Hash: 7B41F775A0020ADFCB44DF69D88499EFBB5FF49310B14C6A9E918AB315E730E985CF90
                                          Function 05937668 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a72344a3b8e9e2b199c1d90a19e725efdb025193a960e3aa0f86ab838fb863e
                                          • Instruction ID: 8b83d46d755b1b43ec6583d8a7ccd2654a17f250fb1d0d3321eb6febe1580781
                                          • Opcode Fuzzy Hash: 1a72344a3b8e9e2b199c1d90a19e725efdb025193a960e3aa0f86ab838fb863e
                                          • Instruction Fuzzy Hash: BC21D3723142018FD7149B6DC886A697BE6FFC9322B1984B5E40ACF3B6DA35DD008B91
                                          Function 07524AC0 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9fbb85df9b2993ce9fba3427b456d5707bab54dbe052676d250851642f61c3d
                                          • Instruction ID: 25d2d74d9b071c985cdc99560ac279aeb5cfb974ce39fb874c3e552feca431b5
                                          • Opcode Fuzzy Hash: a9fbb85df9b2993ce9fba3427b456d5707bab54dbe052676d250851642f61c3d
                                          • Instruction Fuzzy Hash: 293193B5E40266CFDB15DFB984943ED7AA2FF89210F14483AC401BB394CB354D469B96
                                          Function 0752AFB8 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15c7ef16f0ad2548b2c19aeda67789167813ad46bb214bb679bccac6bad29a27
                                          • Instruction ID: 77b523ec1341140dd4d5ea601c63c484945154feb1db04bd04265a003cc1ac1b
                                          • Opcode Fuzzy Hash: 15c7ef16f0ad2548b2c19aeda67789167813ad46bb214bb679bccac6bad29a27
                                          • Instruction Fuzzy Hash: F121D3F13002224BDB166B358458BBE279BBFC6244F14443AD916CB3D5FE6ACC83A781
                                          Function 05934AB7 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7122adf28fcae613e8fe7acbcbc245a21582cd90b08deb68c07468ced08e565
                                          • Instruction ID: ecc614563237caf8e9d55e50234d6d3415a76a33d8f1dd409cb9a16f3b558ff1
                                          • Opcode Fuzzy Hash: c7122adf28fcae613e8fe7acbcbc245a21582cd90b08deb68c07468ced08e565
                                          • Instruction Fuzzy Hash: 22218271B002559FCF01DBA9C809ABFBBFAAFC4300F01856AD459E7250EB349A01CBA1
                                          Function 075267B2 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c1d9901593b53025c471f0b7e0ae27f2501596183ad5021e5d84123d18e959c
                                          • Instruction ID: 69ee06e3181194bf1a5f53a3373363ce1b2c34a4dae81b4fac63b85e763e4ae1
                                          • Opcode Fuzzy Hash: 5c1d9901593b53025c471f0b7e0ae27f2501596183ad5021e5d84123d18e959c
                                          • Instruction Fuzzy Hash: AE31C175600215CFDB11DF64C454AAA7BF2FF85301F0149AAD902CB6B1DB35ED4ACB91
                                          Function 0182D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1720971316.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_182d000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 701520e47d11e8703e0e9a3584f8197f227702330792d81e5ba853ae070a5680
                                          • Instruction ID: 2e260614ff28e0a33cd9a9d7453a04e0c9c3c1a059a5e684644022f8f4ae7d4f
                                          • Opcode Fuzzy Hash: 701520e47d11e8703e0e9a3584f8197f227702330792d81e5ba853ae070a5680
                                          • Instruction Fuzzy Hash: 82216A71504244DFDB02DF58CAC0B26BFA5FB84318F20C76DE8098B246C376D596C7A1
                                          Function 0182D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1720971316.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_182d000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c28484bcdabd1d8888ef3fe90007c8898b7e2be3b13ca1ecbb7b954afa66003
                                          • Instruction ID: ddd676d11979c9a2755737b5290b7780b22bc9dcd454aa5289db7d3b4e3a3993
                                          • Opcode Fuzzy Hash: 5c28484bcdabd1d8888ef3fe90007c8898b7e2be3b13ca1ecbb7b954afa66003
                                          • Instruction Fuzzy Hash: 252148B1504204DFDB06DF48C9C4B56BFA5FB94324F20C66DD90A8B246C336E596C7A1
                                          Function 075267C0 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc19dbef758e97b0de17d6da04d0ed77aa2dc5fe3030b0654971067f3b919740
                                          • Instruction ID: 4739e6653960cffe45dcaeb2ac8c5257f582c6a4d3d07e02979b6857f6c9fedd
                                          • Opcode Fuzzy Hash: fc19dbef758e97b0de17d6da04d0ed77aa2dc5fe3030b0654971067f3b919740
                                          • Instruction Fuzzy Hash: 2D21D175600215CFCB24DF69C444AAE7BF6FF89311F00496ADA028B6B1DB34ED4ACB91
                                          Function 07529338 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1d3b63542cc81fe9b6deed54a6159ec255f6e647a4c342de346fa2362970290
                                          • Instruction ID: 2cafb8d902c113526dd93b4c0335e2b5010e064329e43843bcc6b5b3dc4bf4ce
                                          • Opcode Fuzzy Hash: a1d3b63542cc81fe9b6deed54a6159ec255f6e647a4c342de346fa2362970290
                                          • Instruction Fuzzy Hash: E62135743086268FC7159A29D49866EB3A2FFDA760B104069E80ADB3D4CF35EC438BC0
                                          Function 059344D8 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: afb93e93549396934130111240211fdeb233e346f547a07197cb0941b7dbe09d
                                          • Instruction ID: f8a087551fb5cb69c530012a0e76f5876facacd3e78f4e0c7eb45065513503a6
                                          • Opcode Fuzzy Hash: afb93e93549396934130111240211fdeb233e346f547a07197cb0941b7dbe09d
                                          • Instruction Fuzzy Hash: 01219F75E0030A8FDF05DBB989845EEBBFAEF89200B554166D509EB250EB349A00CBA1
                                          Function 07521DE0 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05819221b83e49839eae47871033e7d4c3ad76d140bb79eca98059d82567f2ac
                                          • Instruction ID: 6c12e175e3a9d4f12990d96fa4c34c410a8bdc19be1942b7be315afd4803a05b
                                          • Opcode Fuzzy Hash: 05819221b83e49839eae47871033e7d4c3ad76d140bb79eca98059d82567f2ac
                                          • Instruction Fuzzy Hash: 97216270B00605CFCB04EB69C945AAEBBF5EF89310F14415AE419D73A1DB70DD85CB91
                                          Function 07524D88 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd7bae628aa8765ce271699b02d7da52dda5322b96cde1be5628b11bbbe6b7f5
                                          • Instruction ID: e78f43ca94972408081e73bb3c5f6fdb4790652de5fee08e58425f415283a71b
                                          • Opcode Fuzzy Hash: cd7bae628aa8765ce271699b02d7da52dda5322b96cde1be5628b11bbbe6b7f5
                                          • Instruction Fuzzy Hash: 5921B071E1021AEFCF059FB4D8889DEBBB2FF89300B454569E001BB264EF34A845CB90
                                          Function 030FD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721149423.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30fd000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9282ddfc71d75f23a809cb6b344afb95099200622df5ce6cde5dd0b73e8ff391
                                          • Instruction ID: 08b8a4700348eeb55fe879d0c0a23b45168aaa6f634c43e2dff635772e02c571
                                          • Opcode Fuzzy Hash: 9282ddfc71d75f23a809cb6b344afb95099200622df5ce6cde5dd0b73e8ff391
                                          • Instruction Fuzzy Hash: 4421F575605300DFDB15DF14D9C4B16BBA5FB84314F24CAADDA0A4B74AC33AD407CA61
                                          Function 030FD1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721149423.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30fd000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e75c370b71cabe20dc188cbe5cd8d503a4690e8dd76347f05e92d8c34bcbadf7
                                          • Instruction ID: ff128544fe72e645471929989aae76bbed7f2f43c88e1c94f45f03e45f49cc43
                                          • Opcode Fuzzy Hash: e75c370b71cabe20dc188cbe5cd8d503a4690e8dd76347f05e92d8c34bcbadf7
                                          • Instruction Fuzzy Hash: 1E213E71505300EFDB45DF14D5C4B15BBA5FB94314F24C9ADDA094B759C336D406CBA1
                                          Function 059357B0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6430bc2d978d8e6a382299e54017cfb5739baacdb00d2d7e6cc29471cb861b81
                                          • Instruction ID: 1b4e5fc31e57faefcc85442346d3e6db5a54a32f1ccad90e6178c2196b844677
                                          • Opcode Fuzzy Hash: 6430bc2d978d8e6a382299e54017cfb5739baacdb00d2d7e6cc29471cb861b81
                                          • Instruction Fuzzy Hash: 43116BB3B04258DFCF02A7F89C966BE7FB5EF8D210F050099D645EB391E6249902D3A1
                                          Function 0593BCF0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f75be62f53dfbdb1cca6831247e7b4d179f00040fe6c9748bc2d9838719daeab
                                          • Instruction ID: fb1b90577227bc9beeb54972ea912ae1e7eeb53830de05958168a7919e78c5f0
                                          • Opcode Fuzzy Hash: f75be62f53dfbdb1cca6831247e7b4d179f00040fe6c9748bc2d9838719daeab
                                          • Instruction Fuzzy Hash: DD212176A10609DFCB10EF6DD84199AFBB5FF49310F50C26AE958AB200EB30A954CB91
                                          Function 0752C2A0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ea125c865a429f8e4b2049262ade8fa58e82b632cfb28ae649726bc4bc2c67a
                                          • Instruction ID: 25abda6b46f8d43cd101bac07bf48a76d53c07483d16cb9db4ab25de8e3d4e65
                                          • Opcode Fuzzy Hash: 9ea125c865a429f8e4b2049262ade8fa58e82b632cfb28ae649726bc4bc2c67a
                                          • Instruction Fuzzy Hash: F32171B0E04229DFDF14DFA5D944BEEBBB5FF46304F100429E401AB291DB759942DBA4
                                          Function 07524D98 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d767bc73686d53c9836a27cae513983c27018c993f0af4bb11c06b3d6b2c7b80
                                          • Instruction ID: 8bcdcbbc2280a5d242ea665b7d5f48d99044f1233fdcb3e9f8f5b67ca1c3f7ff
                                          • Opcode Fuzzy Hash: d767bc73686d53c9836a27cae513983c27018c993f0af4bb11c06b3d6b2c7b80
                                          • Instruction Fuzzy Hash: 8F21C271E10219EFCF059FA4D84899EBBB6FFC9300B454569E001BB264DF34A845CB90
                                          Function 0593DD80 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48487a2ecd38a9907ed70bcce5d1dd9916b4725931484ae08c6c71e808df4ae6
                                          • Instruction ID: e1d696f2f2787dac36fe54e87d14d23f6fe9bc48489edd7003dd6f6ed33a05c3
                                          • Opcode Fuzzy Hash: 48487a2ecd38a9907ed70bcce5d1dd9916b4725931484ae08c6c71e808df4ae6
                                          • Instruction Fuzzy Hash: 8121A132909B918BDB029F29D854281BB70FF96314F0986BACD4C7F247DB757944C7A0
                                          Function 05936800 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 146e1fae541a5fec724076a0d561538fde352ebc86acea7825d769d06973ca77
                                          • Instruction ID: df02b8b7a36b231aa86a840262eae9a52b4f79b4c004198560549f255505d5f1
                                          • Opcode Fuzzy Hash: 146e1fae541a5fec724076a0d561538fde352ebc86acea7825d769d06973ca77
                                          • Instruction Fuzzy Hash: 4B212135A007099FCF04EFA8C8849DEF7B5FF89300F518669D5456B225EB30E589CB81
                                          Function 07527FF8 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7f6307ea2fa5991ccdb1976c49388de70e135e336ab85dbf92f0eb52a22379c
                                          • Instruction ID: 1d33bc48b2a9d8337f00c8df6e8caef968374d56a9c7b9c54f51ff7f14774e11
                                          • Opcode Fuzzy Hash: a7f6307ea2fa5991ccdb1976c49388de70e135e336ab85dbf92f0eb52a22379c
                                          • Instruction Fuzzy Hash: 0521C67160422ADFCB05AFA8D458BAA3BE1FB99304F104065E905CF381CA39ED92DBD0
                                          Function 0593573B Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 632b2bea3e7bcd97f859ecc9f746575a13f46dd5fe8650253bf754f9d3d0055c
                                          • Instruction ID: 74d2284840398a9f107326de903136065c679a2677807cc82d5f86f3cbe42be4
                                          • Opcode Fuzzy Hash: 632b2bea3e7bcd97f859ecc9f746575a13f46dd5fe8650253bf754f9d3d0055c
                                          • Instruction Fuzzy Hash: 3B1127B2B002048BCF14EBE8D84A3AEBBE5DBC8310F114429D509E7340DA749901C7A5
                                          Function 030FD007 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721149423.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30fd000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85b645875723f688beff738fe035d9a3b0d2f25877d5e64f4ec4c32ca7a39bc5
                                          • Instruction ID: 46d3964173fb418bb22519e63f635054767815ccbc7bea692e9421383e9e3c9e
                                          • Opcode Fuzzy Hash: 85b645875723f688beff738fe035d9a3b0d2f25877d5e64f4ec4c32ca7a39bc5
                                          • Instruction Fuzzy Hash: 2721A4755093808FCB12CF24D994715BFB1EB46214F28C5DAD9498F6A7C33AD80ACB62
                                          Function 05930D10 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c7694c791a8606c8ae03085265e0140b622688ad6adfbb17d7f59bc35c18144
                                          • Instruction ID: e198ff24b1d5f35c1f4a68c51641319499676223e78268bc6d16fc7067d3a010
                                          • Opcode Fuzzy Hash: 3c7694c791a8606c8ae03085265e0140b622688ad6adfbb17d7f59bc35c18144
                                          • Instruction Fuzzy Hash: 9111D031A01309DBCB14EFA9E119BDE7BF6EB89310F504468E906A7280CB396D45CFA1
                                          Function 0182D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1720971316.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_182d000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction ID: 743267423c0dc1b0567e4957f91d988341ec4db1e2db74130e2e18d66c673c17
                                          • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction Fuzzy Hash: A4110376504280DFDB02CF44D9C4B56BF72FB84324F24C2A9D9094B257C33AE55ACBA1
                                          Function 0182D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1720971316.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_182d000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction ID: e5c0f9b1078f2f0162d55d935cebf1c6a980049bd9c4f97f1fadd3139cdade34
                                          • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                          • Instruction Fuzzy Hash: 6E110376504280CFDB02CF54D6C4B16BF72FB84324F24C6A9E8094B257C336D59ACBA1
                                          Function 05937BA8 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b15c9104bce8f2147af22c55f0139a53eb114c0a6537253878035c9456179e93
                                          • Instruction ID: 21ad105d6b88121ab03443116d9d6594e8edbf548227fb39bc3c0051144e4fb8
                                          • Opcode Fuzzy Hash: b15c9104bce8f2147af22c55f0139a53eb114c0a6537253878035c9456179e93
                                          • Instruction Fuzzy Hash: 4811C8723142118FD7148B6DDC867597BE6FFC9311F1984B5E40ACF366DA39D9008791
                                          Function 075257D2 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d57842f194633bb1c9314f4fd94f5e443cc6a4f6e8f066867d5998983d0bb8af
                                          • Instruction ID: 4f55a5e80d92a9cf427eb588ddac7e52ed566f07f74ee6ee5c0bb7410da23b4c
                                          • Opcode Fuzzy Hash: d57842f194633bb1c9314f4fd94f5e443cc6a4f6e8f066867d5998983d0bb8af
                                          • Instruction Fuzzy Hash: 4D11A1B590E3955FC706EF7498955893FB2AF67204B0904EBC448CF2A3EA344A4AC762
                                          Function 059364E8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 835cdfebba9fe5f1c92abc344cd7dd40425868d25cbf81ad010407cc6c45e254
                                          • Instruction ID: d8fb0f765edf45f647a6e4ec449de03189a42db53f788527150b851a44b8d273
                                          • Opcode Fuzzy Hash: 835cdfebba9fe5f1c92abc344cd7dd40425868d25cbf81ad010407cc6c45e254
                                          • Instruction Fuzzy Hash: 151156B1D04348DFCB10DF9AD849B9EBBF5EB88320F10845AD519A7201C375A944CFA1
                                          Function 05935BC4 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96df5962ebc765379e626f421f7285a153549d398ca18952ec6631cdab5d2571
                                          • Instruction ID: 2e6c57cbb37ada496466eb60b1f682a23161bd958aa8077a432180cf3c5e0e2e
                                          • Opcode Fuzzy Hash: 96df5962ebc765379e626f421f7285a153549d398ca18952ec6631cdab5d2571
                                          • Instruction Fuzzy Hash: BC21F2B58003489FCB10DF9AC884A9EBBF9FB48320F14841AE919A7210C374A944CFA1
                                          Function 0752C290 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2298335d216b6bfd5c663a25a05dc2661e5c51aadb0746298354ef45e82700ac
                                          • Instruction ID: 07a5755063991fe26a105b04717ea37fe77008f1ac7d73ab82144dea46f96c17
                                          • Opcode Fuzzy Hash: 2298335d216b6bfd5c663a25a05dc2661e5c51aadb0746298354ef45e82700ac
                                          • Instruction Fuzzy Hash: 0B11DAB0E14269DFDB14DF68D4846EE7FB1FF85300F044569D4019B291DB355842DFA4
                                          Function 0593D33C Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8c12fcf146743c3a03ced9715bcd465563ec30bb9084885967d3765aa41be5f
                                          • Instruction ID: 36163f124ca53320f9e80cc247d0cdeaafd6c5c2c9d1ed38dac53ba9f9b52af0
                                          • Opcode Fuzzy Hash: e8c12fcf146743c3a03ced9715bcd465563ec30bb9084885967d3765aa41be5f
                                          • Instruction Fuzzy Hash: 1611CE75704351CFC7059F28E899A6ABFE6FF89215B1848AED84AC7365CB71EC01CB10
                                          Function 0593DDB0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 84c7853d3a7e7fe44a8b9934f298c26f747359a860d0b003e427af26c392af0a
                                          • Instruction ID: 97cc68e46fc077bc1e067134c64a312641f231e891a79796b15eeb60f58ede73
                                          • Opcode Fuzzy Hash: 84c7853d3a7e7fe44a8b9934f298c26f747359a860d0b003e427af26c392af0a
                                          • Instruction Fuzzy Hash: E4113A32E00B5686DB019F5ED844281B365FF95324F1986BACD4D3F346EB75798487A0
                                          Function 075269A8 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7bca19283f6bd6c13330ca69a077404f6d5d5d96eebf353b2822dc60d039c04e
                                          • Instruction ID: a3354a08fd8d4f7f5021ca02e4010c19f0f9325c9a8c4806d77b904c686c4315
                                          • Opcode Fuzzy Hash: 7bca19283f6bd6c13330ca69a077404f6d5d5d96eebf353b2822dc60d039c04e
                                          • Instruction Fuzzy Hash: A5016D716056558FC702EF78D4044DABBB6EFC3204B1641DBE4089B361D7719D0983C2
                                          Function 030FD1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721149423.00000000030FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30fd000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction ID: 423f844806c536aca87733472b687958591945d2048cb30bbde861bc8b9eec13
                                          • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                          • Instruction Fuzzy Hash: 9311DD75904280DFCB42CF10C5C4B15FBB2FB84324F28C6AED9494B69AC33AD40ACBA1
                                          Function 0593443C Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79b4ba92bc3342d7c7b11e80d8723631604de6e6f173174b298ddeb5d8622e71
                                          • Instruction ID: 34b22e3c7643128dd9efeeaf9f19ee3a762dd71b237be29d5057709ef757c69a
                                          • Opcode Fuzzy Hash: 79b4ba92bc3342d7c7b11e80d8723631604de6e6f173174b298ddeb5d8622e71
                                          • Instruction Fuzzy Hash: B01104B5D043088FCB10DF9AD449B9EFBF9EB88320F15841AE859A7310D774A944CFA5
                                          Function 059393F9 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f5b11b8d29e12d5349dfc088fa75f3e1791eae8a4f40ca98ee41865e10a59b1
                                          • Instruction ID: a792e2f2fa73a84a0c731ebebe75b5b11b6268aee1bc11e9ce7ebbb17cc416b4
                                          • Opcode Fuzzy Hash: 2f5b11b8d29e12d5349dfc088fa75f3e1791eae8a4f40ca98ee41865e10a59b1
                                          • Instruction Fuzzy Hash: 27019272B00B18DBCB116B78D40A6AEB739FFC1660F05466DD94917241EB30B68587D1
                                          Function 05934DD8 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4591e38c859f2d6bc07bf012a1e54a87d64c8775a75414ac4a94be80992f4c37
                                          • Instruction ID: ab7043ff0aa17bdf937e2f66d8382ce8b9ed556623fe266a85e076ea652a6a33
                                          • Opcode Fuzzy Hash: 4591e38c859f2d6bc07bf012a1e54a87d64c8775a75414ac4a94be80992f4c37
                                          • Instruction Fuzzy Hash: AE11F3B5C043488FCB10DFAAD849B9EFBF8EB48320F14841AE859A7310D774A544CFA1
                                          Function 07524E7F Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d829e4512143748a151a54338f166f29522571bf5561a09f655b9939d10c172
                                          • Instruction ID: d447d03560098c36e6e1a873269a20dda703daa6095a5f1d80eed7d0b803edee
                                          • Opcode Fuzzy Hash: 2d829e4512143748a151a54338f166f29522571bf5561a09f655b9939d10c172
                                          • Instruction Fuzzy Hash: 9301F27660D3C05FCB0357749C25ADA3FB19F97200B0A40EBD089CF1B3C5289959C762
                                          Function 059367D0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b7c7ef5847ab40c937195a1dca40e40db20987b64484979ecfeaf3b56fd205c
                                          • Instruction ID: 1869de186da73cf467c2e0d350fffa27d8922ed9d57c605ca916e366e93022ee
                                          • Opcode Fuzzy Hash: 9b7c7ef5847ab40c937195a1dca40e40db20987b64484979ecfeaf3b56fd205c
                                          • Instruction Fuzzy Hash: 7901D2B6900308DFDB00CF98D4447CABFF5EF98320F188559E15AAB211C379E806CB61
                                          Function 07528AD0 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58ce60abca8d188e1cb0a1f58ca6e0309852c53ed396ad39327bc6ec159be1d4
                                          • Instruction ID: df18e7c5cec7e454bc44dd6ae67b297fd1ec765f36756da44461893ef59e1d2b
                                          • Opcode Fuzzy Hash: 58ce60abca8d188e1cb0a1f58ca6e0309852c53ed396ad39327bc6ec159be1d4
                                          • Instruction Fuzzy Hash: 300128B27000256FCB059A949810AEE3FABEBC9340F14806AF904C7680CE759D429795
                                          Function 0593D360 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15eac8cfb60313ce737caea80925a9fa758bafa179726bfbe6e4c4de82cccd87
                                          • Instruction ID: 2079681831f3aa14b0d897fd17c930d9cffe6ede9e93172fc47d8eb9df6a906a
                                          • Opcode Fuzzy Hash: 15eac8cfb60313ce737caea80925a9fa758bafa179726bfbe6e4c4de82cccd87
                                          • Instruction Fuzzy Hash: 46017175700210CFC718DB29D49992ABBEAFFC821571888ADE80AC7360CF71EC01CB50
                                          Function 07524B5A Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1aa43d8e820539278d1535d8b871cc2b27a94f9a635cdebad6370642d2a7b698
                                          • Instruction ID: 6a228d20fc07606324403d254a11c84e11532058f1e77a69c4361dcc0d728441
                                          • Opcode Fuzzy Hash: 1aa43d8e820539278d1535d8b871cc2b27a94f9a635cdebad6370642d2a7b698
                                          • Instruction Fuzzy Hash: 76018EF1D0066ACFDF149FB590983ED7AB1BB85311F144429C001B62C0CB784D82DBA5
                                          Function 059364F0 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8658ffa95158da99f97088b7d143534d5c766e06b7af1a04c2082d64ae8d2d92
                                          • Instruction ID: 7adf6fd118db7d35fcbd89a74906d7a47642ff7aedca1ffb1ef27d90e148abcc
                                          • Opcode Fuzzy Hash: 8658ffa95158da99f97088b7d143534d5c766e06b7af1a04c2082d64ae8d2d92
                                          • Instruction Fuzzy Hash: A41100B58003488FCB10DF9AC489B9EFBF8EB48320F20841AD519A7340C775AA44CFA5
                                          Function 05939028 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 138ec4f213341d49e290d6a3839020f20e54e32e4da24976cb568f610b2ef0f8
                                          • Instruction ID: 7f7e7210a23511284e1e3b3666f6d80c1d1a7426dd11f197815ea28183dc8693
                                          • Opcode Fuzzy Hash: 138ec4f213341d49e290d6a3839020f20e54e32e4da24976cb568f610b2ef0f8
                                          • Instruction Fuzzy Hash: 0B011770601709CFC728EF69C45555AB7B6BFC5240B10866EE9868B260EB71EA41CB90
                                          Function 059369B8 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abaa1af9c91c2c08d88298aa8848b81c2ac64bfc3e1e13cc4fe766716a192fea
                                          • Instruction ID: 1b7ed5c10f8356f80a590d6386277625cbcbfb246a41b86637676d369b892d57
                                          • Opcode Fuzzy Hash: abaa1af9c91c2c08d88298aa8848b81c2ac64bfc3e1e13cc4fe766716a192fea
                                          • Instruction Fuzzy Hash: 8311C975E00609DFCB40EF69C545AADBBF4FF49310B10859AE859EB321E770EA45CB81
                                          Function 05938F38 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1dd9d95e12645c589a130380301a329d4bb417fab703fdb1937cff0e17559386
                                          • Instruction ID: 1e60d00c5c1733a932d8d7d2737adc89210c60e1770b36a609423311b359be0a
                                          • Opcode Fuzzy Hash: 1dd9d95e12645c589a130380301a329d4bb417fab703fdb1937cff0e17559386
                                          • Instruction Fuzzy Hash: 6501FC31204340CFD715DB39E4153967FEAEBD9311F00446AE4C9C7295EFB96585CBA1
                                          Function 075240C0 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09ca389a08230cd33fd774bdb9fa8918e8551e623485041d0934254780eeb0ab
                                          • Instruction ID: d333a85c82b8026ffc217f44d1fbd7ef9641b8bf982e1b614368d206a7909879
                                          • Opcode Fuzzy Hash: 09ca389a08230cd33fd774bdb9fa8918e8551e623485041d0934254780eeb0ab
                                          • Instruction Fuzzy Hash: 6301A2753005218FCB18DA2DD850DAA77A2BFD6311B25446AEA4ACB364DA30EC0297D0
                                          Function 05937900 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3349203b1d08014353a006bf0e9c30600e8645378b2eb3e765db7cdf3332456
                                          • Instruction ID: b333b4c787e7890e70845f62363903fbe2fe684a9b94bcfb68e4b491ca4be4e5
                                          • Opcode Fuzzy Hash: f3349203b1d08014353a006bf0e9c30600e8645378b2eb3e765db7cdf3332456
                                          • Instruction Fuzzy Hash: 7501FC302043448BD715EB3AD4553967FEAEBD9301F00886BE4C9C7285EFB55685CBA1
                                          Function 075240D0 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00e64fc7d0b9fd3b40af785f733c57435406bb43e18d359ea2ad13dc9344bd51
                                          • Instruction ID: 8db85e55e6481d084dc03a9a18d01ed84670da8fedf86d98e7aa2c8064267df1
                                          • Opcode Fuzzy Hash: 00e64fc7d0b9fd3b40af785f733c57435406bb43e18d359ea2ad13dc9344bd51
                                          • Instruction Fuzzy Hash: 1AF0A4B43005218FCB18DA6DD450DAE73E3BFD6211721846AEA46CB364DE31EC0297D0
                                          Function 05935748 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6722b64409247215835c069266a08faa784f39032649b4b5f45bd9085e91dd2
                                          • Instruction ID: 6fb6f0ac379729396f06b240fa2cb6efce4288518c808f435aaa7e735824fc6d
                                          • Opcode Fuzzy Hash: c6722b64409247215835c069266a08faa784f39032649b4b5f45bd9085e91dd2
                                          • Instruction Fuzzy Hash: CFF096B1B001149B8F15F7E9DD964BFBBBA9BCD610F010029D505AB340EA709E01D7E5
                                          Function 05937648 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7fefab2034a29e72d76bfcc46b012ac3d448105d58ef8619bf56ba93dc450832
                                          • Instruction ID: 7f1890baedd2c79edba05503fdcf51977a5d3740b36845bbf6d16c986d04d4d7
                                          • Opcode Fuzzy Hash: 7fefab2034a29e72d76bfcc46b012ac3d448105d58ef8619bf56ba93dc450832
                                          • Instruction Fuzzy Hash: D0F0E270309216CBCB28D7BA8466A3A32DEEFC4A56704482FA407C3250DE60DF01D7A1
                                          Function 05939023 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a00655472ccc27e8ffe1b1b8cdbec8a21a75e38334ababf7abbee0505638824
                                          • Instruction ID: b1355f60ccb2f4a951da773dcb258c9765067ee360da8f984ae79785541763f3
                                          • Opcode Fuzzy Hash: 3a00655472ccc27e8ffe1b1b8cdbec8a21a75e38334ababf7abbee0505638824
                                          • Instruction Fuzzy Hash: 1E01AD30601708CFC324EF79C011666B7FAFFC0340B50866EE9868B260EB71EA41CB90
                                          Function 05939478 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e849457f8bb170dda91c226d10fca1d59849437f7b37ea374fe2bc318f913a7
                                          • Instruction ID: 60c54a67d198e4e5ae7b81d004e9d60c21ce26217d3f9866059622672b784f03
                                          • Opcode Fuzzy Hash: 7e849457f8bb170dda91c226d10fca1d59849437f7b37ea374fe2bc318f913a7
                                          • Instruction Fuzzy Hash: 34F0C235300710CFC724AF1AE458B6ABBAAFF88621B00451DE50A4B321DF75AC42CB90
                                          Function 059379F0 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 86f97f2a31d7d1a806fb6b6a3830c32aa7eeb217340820edfa0f083a3ee605b3
                                          • Instruction ID: 4d125d219bbddb80370571daf3c9f281a693470bca8d50d46233408432bed989
                                          • Opcode Fuzzy Hash: 86f97f2a31d7d1a806fb6b6a3830c32aa7eeb217340820edfa0f083a3ee605b3
                                          • Instruction Fuzzy Hash: ECF02BB1305611CBCB1AA7BC842623D67AAEFC5901B08507ED906DB391DF34CF02D796
                                          Function 05937A88 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 104567354c8783f751c37c8db0b6c604656d4b6b8d962bb11ea85f76bb46356f
                                          • Instruction ID: 4499c590b546919b7c42ba6d8b3ca18c657ccba54bc83ed332f45dda594afe25
                                          • Opcode Fuzzy Hash: 104567354c8783f751c37c8db0b6c604656d4b6b8d962bb11ea85f76bb46356f
                                          • Instruction Fuzzy Hash: 08F0B471309215CBCB249BAA8476A7A37AEEF84A56709006ED903C7690DA60DF05D7A1
                                          Function 05939408 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3383201f2569ba7142304091c674095a1023774f2372901acecdb9b3b3517ba6
                                          • Instruction ID: eecdd0c1fed9b8bebe6a7aad07b0f9ab2cf082afcc6686caeee028b6cb5287b9
                                          • Opcode Fuzzy Hash: 3383201f2569ba7142304091c674095a1023774f2372901acecdb9b3b3517ba6
                                          • Instruction Fuzzy Hash: 98F0C271700718CBCB117BB8840A5AEB779EFC1610F01466DD94527300EF30BA85C6D1
                                          Function 05939810 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ad958883d9023ffd8a683c83d8d1987fcc46603dc21d79de39ff73ae9551bcf
                                          • Instruction ID: 6eaa0ec4240ee49adef75ab68cdc6ffe76983d7b3961a7b80396587035622b7a
                                          • Opcode Fuzzy Hash: 7ad958883d9023ffd8a683c83d8d1987fcc46603dc21d79de39ff73ae9551bcf
                                          • Instruction Fuzzy Hash: 5CF0B4363007118F87149A6EE88485ABBE9EBD42613004A7AE50EC7220CE60AD498794
                                          Function 05937A00 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bfc674b75db56ac7d104422f294df1383b43dc93d225edad6d83fd617c177c5
                                          • Instruction ID: 56b93ea67e579cdeb352300bfb9ae3ee5135828bcefd6151a6db6392a93c7c36
                                          • Opcode Fuzzy Hash: 3bfc674b75db56ac7d104422f294df1383b43dc93d225edad6d83fd617c177c5
                                          • Instruction Fuzzy Hash: F3F0E271300610CB8B196BBD942A53E729AEFC5911B54503DD906CB390DE31DF0387A6
                                          Function 05939488 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbc70a302b5e4111b59e6adc4f8b9c0b75b65f64dcf4744ceec3c62d66e543e7
                                          • Instruction ID: f2626dff094e6a0258f993698e2ed90963a6ff00615485ea58f4348f7e1c2355
                                          • Opcode Fuzzy Hash: bbc70a302b5e4111b59e6adc4f8b9c0b75b65f64dcf4744ceec3c62d66e543e7
                                          • Instruction Fuzzy Hash: 9CF0B435300710CFC725AF1AE448A2AB7AAFFCC621701055DE10A87720DF71AC41CB90
                                          Function 0593F120 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b5d80569a747f0e8313d357756d850d92faa21b66e02a49189161bf167b944f
                                          • Instruction ID: ed09d099b69772db418f436ae6ec8ca376a48ac2c2af8d5c28835eb1d88529c6
                                          • Opcode Fuzzy Hash: 6b5d80569a747f0e8313d357756d850d92faa21b66e02a49189161bf167b944f
                                          • Instruction Fuzzy Hash: 7BF0BE36300309DBCB04DF29E484D9A7BAEEF89360B000064F6048F234DB75AC05CBA1
                                          Function 0752563E Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4113fdbba78492831393ed78f550375b34a47ece176bfb4c70c88b95d60282fb
                                          • Instruction ID: 42d680fa3d01ff678ff6c2694e33485a43d396e26a6c181e456615f1502657f6
                                          • Opcode Fuzzy Hash: 4113fdbba78492831393ed78f550375b34a47ece176bfb4c70c88b95d60282fb
                                          • Instruction Fuzzy Hash: 4AF089317003249FCB18A775D41556F7BAAFBC5351F50887DE40697340DE35A801DBA4
                                          Function 05936638 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e82ab5089e16615a3c283c8d517d1d9dfed7e255782f02b7fa94e5f63a9b1dd1
                                          • Instruction ID: a58b6b81653ddf1a9a4fe2542f0b10605a23e8a280971c5476185319079b6a85
                                          • Opcode Fuzzy Hash: e82ab5089e16615a3c283c8d517d1d9dfed7e255782f02b7fa94e5f63a9b1dd1
                                          • Instruction Fuzzy Hash: 10F0A771504704EBDB349A25E4059237FFDEB85264714096AF88AC6650DA31F846C760
                                          Function 059369C8 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                          • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                          • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                          • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                          Function 07525640 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f1f676e328eda42e721d86dd376e2f401f17c64f3fed1391466100cafd151db
                                          • Instruction ID: a6e0a575d7b36b3752ce952e150c31d22952b5ca45a25e763e232e1cf072a9ce
                                          • Opcode Fuzzy Hash: 4f1f676e328eda42e721d86dd376e2f401f17c64f3fed1391466100cafd151db
                                          • Instruction Fuzzy Hash: 47F089317003249FCB18A775D41556E7BAAFBC5351F50887DE40687340DE35A801DBA4
                                          Function 059347D3 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a08569e8c4a3f1ebb26d7097bee6fd556f44d44087c169ffb341e89c3cbf80d5
                                          • Instruction ID: e3025bc535870bb356da8b26307d3a2c173bc1fef3f09b849d2c2b022c0d37c0
                                          • Opcode Fuzzy Hash: a08569e8c4a3f1ebb26d7097bee6fd556f44d44087c169ffb341e89c3cbf80d5
                                          • Instruction Fuzzy Hash: 5EF090B1E04209DFCF10DFE8F64A6ACBBB1FB45305F248916D80AE3210DA3A5E44DB51
                                          Function 05939C70 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4280435e758dcdb04865a154375bdf6a1c96c362ea7406db5c1aa29ebdebc0b1
                                          • Instruction ID: ef4a8d70c4fa8eaaa968770bebe3c2295f2a6a2e2f381c1b25b3a98922ef44c4
                                          • Opcode Fuzzy Hash: 4280435e758dcdb04865a154375bdf6a1c96c362ea7406db5c1aa29ebdebc0b1
                                          • Instruction Fuzzy Hash: 75F0FF31210610CFC714DB2CE598A58BBE6FF09716B4249A9E11ACB332CB72EC80CB80
                                          Function 05939800 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0fec7f6a4f4534e424e6fd4f0469fe5aab5258da82d97b6babb3c257b515e173
                                          • Instruction ID: f490ad14b6cfeb1dd1c4a1054fa685870de459c2f5a783a15074769261d1ddff
                                          • Opcode Fuzzy Hash: 0fec7f6a4f4534e424e6fd4f0469fe5aab5258da82d97b6babb3c257b515e173
                                          • Instruction Fuzzy Hash: D7F0E9723043628FC7155B39E49990A7FB5EFA931130045BEF50ECB262CD60DD498754
                                          Function 07524491 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f437c396c1585a8512c2c373653cc557cff4051339c0bb9380077d3b4f845e9b
                                          • Instruction ID: 6d755c6be794db985e9941c2f77199698f0422b7ddd5abc10786b6da90776193
                                          • Opcode Fuzzy Hash: f437c396c1585a8512c2c373653cc557cff4051339c0bb9380077d3b4f845e9b
                                          • Instruction Fuzzy Hash: 59F0493AB002298FCB00EB98D4849DCB3F1FF8CB11B194495E949BB360CB74AD41CBA0
                                          Function 0752162A Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8447994f176e4b7069feadc3c3529ada5b297995a5782d6f68106c2156308f7a
                                          • Instruction ID: 09211bf4214a8ed4da6bccb87eecf99a980c248feb7a4539c5e699f64f2f721a
                                          • Opcode Fuzzy Hash: 8447994f176e4b7069feadc3c3529ada5b297995a5782d6f68106c2156308f7a
                                          • Instruction Fuzzy Hash: 15F049F4D0435A9FCB00DFA9C8456AEBFF1BB48200F244459E405E7340D771A2018F95
                                          Function 0593F130 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 131d01a1e02a7176415e83ec16c83d3f52d9ea06046776823679b454c4b92d11
                                          • Instruction ID: cab6e0109982066cf48b537d141f88808697674236905b829466d9d01a5a89b5
                                          • Opcode Fuzzy Hash: 131d01a1e02a7176415e83ec16c83d3f52d9ea06046776823679b454c4b92d11
                                          • Instruction Fuzzy Hash: 4FF0303530030ADBDB05EF79E484CAA7BAEEF893503514469F6058F224DB75EC45DBA0
                                          Function 07521638 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc74b6d15f3b9553dcb3275423084c4378cddd5e59188ec0e57dfcbfcb4aaf9f
                                          • Instruction ID: 031704d412ba6fb8adf84f7566e1f893d6c94f2387260578cc5254f24c962c03
                                          • Opcode Fuzzy Hash: fc74b6d15f3b9553dcb3275423084c4378cddd5e59188ec0e57dfcbfcb4aaf9f
                                          • Instruction Fuzzy Hash: 0BF03AF0D1421E9FDB44DFA9C901AAFBBF5BB48200F1045A9D908E3340D77096018F91
                                          Function 07526970 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79b3e92bf86200865b326cf2df94fcad7c13fd9bb87ffed2e94634cfea772cd1
                                          • Instruction ID: 85ee8887de7d8a84f9d819cd0a2aa541acf2c50fa8aae09402d21952e2104796
                                          • Opcode Fuzzy Hash: 79b3e92bf86200865b326cf2df94fcad7c13fd9bb87ffed2e94634cfea772cd1
                                          • Instruction Fuzzy Hash: A3E022323040584B8B00AB5EB808DCABBBACFC652AB1400ABEA0DCB221CA209D064390
                                          Function 059354B4 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 722e52bb6e5fa868ea8430e6541e0410404a9e59387ed11f0237d3a76be607f0
                                          • Instruction ID: 1675791265baa48cfa6ffdf4832d917ee288df14b319b0bdb0f7259ebce4ef9b
                                          • Opcode Fuzzy Hash: 722e52bb6e5fa868ea8430e6541e0410404a9e59387ed11f0237d3a76be607f0
                                          • Instruction Fuzzy Hash: 1DE0DF71300109EBC720614EA444B7BBBEEEBCC362F01882AE809C3244DA64AC4086E2
                                          Function 05939C80 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18a49e485c349d25ba3409181c8f83e73de5d3c772d7ba37576101eb65a9f9ed
                                          • Instruction ID: 74568a8639dd0a5b4492c1c78dd27c68a909f30e4aaeedea1a31db7548357e2f
                                          • Opcode Fuzzy Hash: 18a49e485c349d25ba3409181c8f83e73de5d3c772d7ba37576101eb65a9f9ed
                                          • Instruction Fuzzy Hash: 7DF0F830200610CFC714DB2CD588D597BE6FF4971575145A9E10ACB332CB72EC40CB80
                                          Function 07525F71 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbc5a6df7972530d89e386bb01246a96eabc2608e7b12cbea5fec2c23fe8130f
                                          • Instruction ID: ece9cc9477c74ebcd2b402286df4ad560d7b33cae5558df278082605c8a2e5f6
                                          • Opcode Fuzzy Hash: cbc5a6df7972530d89e386bb01246a96eabc2608e7b12cbea5fec2c23fe8130f
                                          • Instruction Fuzzy Hash: 3CF0E53120A7504FD315AB798824EDB7BF69FC6352F0404EED4468B382DA72B846C7A0
                                          Function 05935500 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33f93da8375ae3361cfe3461ada7645421c3d123fa87e8d01d49e51da9f17bd0
                                          • Instruction ID: 78ceac198e1845b6fc857efbc007482042bcd00623443dc17150c567b1a0b23e
                                          • Opcode Fuzzy Hash: 33f93da8375ae3361cfe3461ada7645421c3d123fa87e8d01d49e51da9f17bd0
                                          • Instruction Fuzzy Hash: 7FF08C32118249DFCB029FA4E9598597FBAFF0A300745C096F9098B233C736E915DB11
                                          Function 07524BB5 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 336bb7be5f57762c89e8b8f3a1f8d0c1b95287f9eccdcaf9d2420a3d7472a77f
                                          • Instruction ID: 262758e56e82df2708352183e885f1c3f0e5eff42a19bb460cfbd56e04cd9e84
                                          • Opcode Fuzzy Hash: 336bb7be5f57762c89e8b8f3a1f8d0c1b95287f9eccdcaf9d2420a3d7472a77f
                                          • Instruction Fuzzy Hash: F8F05EB0A0061ACFEB149FBA94197AD7AA1AF85711F508429C005BA2D0CF7848429FA1
                                          Function 075269B8 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
                                          • Instruction ID: e6e34f51ab1ec058e2aa125d3c83139ebfad082e87f41393b4ebc2a275d7ede8
                                          • Opcode Fuzzy Hash: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
                                          • Instruction Fuzzy Hash: 68F0303190161ACFCB04EB78C5054D9B7B4FF85704F61869AD4486B221EB71E986CBC2
                                          Function 05938050 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee400d0aa93b4c823af611f39343afdb21a662e1b31f41ed02792ebaf6fdb844
                                          • Instruction ID: 9f5a383136b4692f3f01ad2727c8b542287db7d763c9712d455bb6a1ba654615
                                          • Opcode Fuzzy Hash: ee400d0aa93b4c823af611f39343afdb21a662e1b31f41ed02792ebaf6fdb844
                                          • Instruction Fuzzy Hash: B5E0D8723087610BC206E22DA8509CBFBD5EFD83117048D2AE5588B215DA20588583E5
                                          Function 07525F80 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4162e2181fc88a1f27e0586b28951ec24b2d30bcabc7c753d7d8cba917dcba28
                                          • Instruction ID: eb84a9d814130fbe2b5f5d652313ff5861f4695e5908e9e1528b3db7c99d10fb
                                          • Opcode Fuzzy Hash: 4162e2181fc88a1f27e0586b28951ec24b2d30bcabc7c753d7d8cba917dcba28
                                          • Instruction Fuzzy Hash: D2E012753467108BD714A6798550ADA76EA9BC5752F0008ADD80947380DA72A8468790
                                          Function 059375B3 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0fcfec423d5923cd5bafa730bdde45f52704af10170bcd6e495c2be350ac81b
                                          • Instruction ID: 9ff2e8e9b84911c4e5a00eb34bb68be95253d66262d4dbfa83d5e04c25d4f560
                                          • Opcode Fuzzy Hash: e0fcfec423d5923cd5bafa730bdde45f52704af10170bcd6e495c2be350ac81b
                                          • Instruction Fuzzy Hash: D6E04F722146149FC318CA5CE441A5577E9EB48311B1489A9F00AC7661DA60ED458790
                                          Function 0593F0DB Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2b2be4e3a8f93e64913466794dee34c589446421e646ccbcc479778cde428e9
                                          • Instruction ID: 7373ee201ffbfe653d27080539a48baf0263423e8bdb084e863719aaebe416ef
                                          • Opcode Fuzzy Hash: b2b2be4e3a8f93e64913466794dee34c589446421e646ccbcc479778cde428e9
                                          • Instruction Fuzzy Hash: 60E0ED36D0120CEFCB40DFE4D9896CDBFB5EB48201F1081A5E905A3240EB306B45DF84
                                          Function 05930DEC Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8410369ebea41692d084d7aed022965ab8ee11e16ed9891cb76838dc50e3662a
                                          • Instruction ID: 85042083d3befa25ff37274d716851dbcfff251a99364c664b47a31060300325
                                          • Opcode Fuzzy Hash: 8410369ebea41692d084d7aed022965ab8ee11e16ed9891cb76838dc50e3662a
                                          • Instruction Fuzzy Hash: 51F0C036B05208CFCB14DFA4E5495DCB7B5FB4D215F2404A6D506B7240C7325D55CB65
                                          Function 075276A8 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbe077ae6a64e470c3db67e36711ca1a1cfe150f36e13fe0c45d3f69c6b574f3
                                          • Instruction ID: 3f1bea9cf3a3d51e9cddcbdfc77512027d19e4076afd5bf56f0587289a1f7c96
                                          • Opcode Fuzzy Hash: fbe077ae6a64e470c3db67e36711ca1a1cfe150f36e13fe0c45d3f69c6b574f3
                                          • Instruction Fuzzy Hash: 3AD05B323501244FD304DBB9F445E9277DCEB49665B0140A6F60CCB251DB62E8004790
                                          Function 059375C0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd721b1a1bdba47b43a073df12776ad4ec46ecf78914cec9ed01b5474decb5b8
                                          • Instruction ID: 462f4f2f76bcd61bba5e6e6700ece1d190d341e4a8c12a875e51b2ffd2b62581
                                          • Opcode Fuzzy Hash: fd721b1a1bdba47b43a073df12776ad4ec46ecf78914cec9ed01b5474decb5b8
                                          • Instruction Fuzzy Hash: 18D05E303187149FC72CDB5CE840C9AB3EEEF883123248AAAF00AC7760DA60FC058784
                                          Function 059347E0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e41f331d3d2b58b69b6d4c27e4e11e04bd76c7e964389dafff7a78dff7b9ad89
                                          • Instruction ID: 7e144ebff939a9420cc897ffbbf1c920f2b09b121ef4334d4ef882b75e4d66a5
                                          • Opcode Fuzzy Hash: e41f331d3d2b58b69b6d4c27e4e11e04bd76c7e964389dafff7a78dff7b9ad89
                                          • Instruction Fuzzy Hash: A8E04FF1A00209EFCB00DFA9E40545C7BB5EB543007108656EC0597300DA362F40DB55
                                          Function 0593F0E8 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4018a18c7c1a398acbf83e3068ec9b20366c00c2d3679f5a9ba8e4066e6d9587
                                          • Instruction ID: eca93da7028e361ba4efc0587b4d9639f9c01f5211752b6c2a7dc21b193b319e
                                          • Opcode Fuzzy Hash: 4018a18c7c1a398acbf83e3068ec9b20366c00c2d3679f5a9ba8e4066e6d9587
                                          • Instruction Fuzzy Hash: 49E09275D0120CEFCB40DFE4D9898DDBBB9EB48201F1082AAE909A3200EB316B15DF84
                                          Function 0752976F Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23792aaf621b74161eb36a3f46836952213977cc5028268b238dd7d08f6829e1
                                          • Instruction ID: 2fec56260428f84412a11ca3441a2ba74ad88e4695a46bb6ea137849468b78f5
                                          • Opcode Fuzzy Hash: 23792aaf621b74161eb36a3f46836952213977cc5028268b238dd7d08f6829e1
                                          • Instruction Fuzzy Hash: C7E0C2B100C7991EC703AB75BC1A6963FBAFBA5201B150981E4490F517DE6819C883A2
                                          Function 0593F890 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93c435aa53dbb58697374b437a1dfb4e697a3691c3acf641a9e69746ebe354c0
                                          • Instruction ID: f12b42c88b99eb02457e3d3bce5857434050307bbaab3ae286e8d57b5c8c6f9a
                                          • Opcode Fuzzy Hash: 93c435aa53dbb58697374b437a1dfb4e697a3691c3acf641a9e69746ebe354c0
                                          • Instruction Fuzzy Hash: D9D0A73630AB64DBC205676965067DABBA85F45250F00006EE41E87680CBF61C4687DB
                                          Function 07526980 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2325d1b614fc72aed6a9d048739e306199c0cb18e7c04c061e0ab1a47dc8e86e
                                          • Instruction ID: 96d4b5166c872d2882fcc914734181b75449b222e6f597569e3572ad229c3baf
                                          • Opcode Fuzzy Hash: 2325d1b614fc72aed6a9d048739e306199c0cb18e7c04c061e0ab1a47dc8e86e
                                          • Instruction Fuzzy Hash: D2C08C33300428630719718FB809D9FF3EECACAD3A350403BEA0DC33108DA46C0601EA
                                          Function 0752F3CB Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8188e6e69346cd1d84f9047fbfd305f992a1e73da3da8c2df74fa9a8079857f
                                          • Instruction ID: fb4f76e598f240f73cac355374fd6238762dc0c76a61f6efb0027203acf7ac42
                                          • Opcode Fuzzy Hash: d8188e6e69346cd1d84f9047fbfd305f992a1e73da3da8c2df74fa9a8079857f
                                          • Instruction Fuzzy Hash: 47D05E3000A7D49FC31A5BA9A45B3F03FB46F02711F481183F509C94A2C6641540D7A6
                                          Function 07524A8F Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e77b590eda828d9e213a517431fa9e0213a579769acb2043ee84670ac0b2ced8
                                          • Instruction ID: 974ad90ed32eec2a8bd8487e9122cab9283570f79f4734f5a4ae0e37b8d65882
                                          • Opcode Fuzzy Hash: e77b590eda828d9e213a517431fa9e0213a579769acb2043ee84670ac0b2ced8
                                          • Instruction Fuzzy Hash: 13D0127160D2E39FCB02CF1DF89C6543BB1EB52206B415091D001CF496DB3898CACB95
                                          Function 0593F8A0 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a898185025cfaf77bb7e6a3c3fa80164e71ff6c79fdb6d092f4b67cd062600c6
                                          • Instruction ID: dc3e7a02fbcb1501b13af5b15b0c9ddc2a9b9f2ebca440066e17022b4a45a41a
                                          • Opcode Fuzzy Hash: a898185025cfaf77bb7e6a3c3fa80164e71ff6c79fdb6d092f4b67cd062600c6
                                          • Instruction Fuzzy Hash: 36C08C3130972843C504365D610469E72AD4B826A4F00001ED80E97340CFE61C0542CB
                                          Function 0752C760 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ecf0b04cb938d27fc21293a0815a55ca6bb69a72d31a65703d66496c86377e1
                                          • Instruction ID: 6c3555c79fabcf77107ad8b91266ffa89d1f532adfc24fbf7cf2169f0d47021f
                                          • Opcode Fuzzy Hash: 5ecf0b04cb938d27fc21293a0815a55ca6bb69a72d31a65703d66496c86377e1
                                          • Instruction Fuzzy Hash: DAC0807AB0414487CB10DE64F4451DDB770FF85321F10447BD51557241C7359A159761
                                          Function 07529780 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 98e5d1ff1729ce96f162186a1b9c373d2f6e331f5ccaca98bbe4c4bfe97dca5e
                                          • Instruction ID: 3d1c9acb86777b0544608c74ac0b8db46361725bc2e13a7ac262f2feb9b22b8d
                                          • Opcode Fuzzy Hash: 98e5d1ff1729ce96f162186a1b9c373d2f6e331f5ccaca98bbe4c4bfe97dca5e
                                          • Instruction Fuzzy Hash: 62C012B11047294AC902EB6AF84951537BFF7E4302B604950B40D0E519DEBC5DC547D1
                                          Function 0593FAE3 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59df1310c523ae551b9692017bcfe06a271f0fe692cf1f2aaac4ef4938d25abf
                                          • Instruction ID: 7e22629ba650edf52568ee596040de4eb84a44fc1b3ef77d1467dc27cb556593
                                          • Opcode Fuzzy Hash: 59df1310c523ae551b9692017bcfe06a271f0fe692cf1f2aaac4ef4938d25abf
                                          • Instruction Fuzzy Hash: ECD0123B00010CEFCB066F80ED48C84BFBAEB08310709C091FA0D8A032D732D964EB50
                                          Function 0593FAE8 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb1f5074ed40f6d758daad7f04dfcef94376571696625b6bd9809593410e8d5a
                                          • Instruction ID: 2da7fc2e130b290195480088904487d1932e532d5a8fce8de430332f2a6722da
                                          • Opcode Fuzzy Hash: eb1f5074ed40f6d758daad7f04dfcef94376571696625b6bd9809593410e8d5a
                                          • Instruction Fuzzy Hash: 10C0023B005108EFCB066F80E948C85BFAAEB48310705C091FA094A436D772D564EB51
                                          Function 0752F3D8 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b89226328f2a9c94ef5d3e7268624c8f473ed70085267f484bb5e46f531d14d6
                                          • Instruction ID: 2f46309125a24d4e4a328c97544fb4d8208efea3ea6b6b9b212809ca5dabb181
                                          • Opcode Fuzzy Hash: b89226328f2a9c94ef5d3e7268624c8f473ed70085267f484bb5e46f531d14d6
                                          • Instruction Fuzzy Hash: DBC08C700053488BC2586BA9B44E3743BB86F01712F880010F409894A08AA41040DB39

                                          Non-executed Functions

                                          Function 07526578 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2$U$c
                                          • API String ID: 0-2109151629
                                          • Opcode ID: b4f5d0c1e1f6c4d7dedf745e28c751a614238413ee6b7deb7b990665ce3d5bac
                                          • Instruction ID: f6323680d967f93135b05f577b5ead0aa475debeb447fc106027e5b1d1dcf5f1
                                          • Opcode Fuzzy Hash: b4f5d0c1e1f6c4d7dedf745e28c751a614238413ee6b7deb7b990665ce3d5bac
                                          • Instruction Fuzzy Hash: 6771D7B1E015199BCB04DFA9C5806AEFBF2FF89300F28C165D414AB785D734AA82DF94
                                          Function 07526310 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: {
                                          • API String ID: 0-366298937
                                          • Opcode ID: b52eee5c30e05c258eb483d0c5784f48f2897a08ec5770244a41f569c9c196dd
                                          • Instruction ID: c7c0c6c03ba75210d69b5f485294cebb7526706636747fbcb28e176ddfb5ab04
                                          • Opcode Fuzzy Hash: b52eee5c30e05c258eb483d0c5784f48f2897a08ec5770244a41f569c9c196dd
                                          • Instruction Fuzzy Hash: 115148B5E0021A9FDB04CFAAC9806EEFBF2FF89300F14D125D414A7291D7349A82CB90
                                          Function 07A61C70 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31a7946ed6697e870d9ecae380072bd2956840db9c7dff332c1ac6d5a3138448
                                          • Instruction ID: 2bdd980676d8f8fedcce68a7f41f113d3559bfc997106ce14c2531a7ed876c75
                                          • Opcode Fuzzy Hash: 31a7946ed6697e870d9ecae380072bd2956840db9c7dff332c1ac6d5a3138448
                                          • Instruction Fuzzy Hash: 42E119B4E001198FCB14CFA9C5849AEFBB2FF89305F2481AAD414AB356D735AD42CF60
                                          Function 058E0040 Relevance: .3, Instructions: 315COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3306d6710e3a929693497cf388b295a8b16458b5ab2fb437560c058524774004
                                          • Instruction ID: 7ff6c3284449f9a555bbadc196457b899af9674f6a4ac7d786fe6693ebe6d234
                                          • Opcode Fuzzy Hash: 3306d6710e3a929693497cf388b295a8b16458b5ab2fb437560c058524774004
                                          • Instruction Fuzzy Hash: 9912D7B05017458AD359FF25EC4C1893BB7BB8A3A8F904709D2615F2E9E7B410CACF64
                                          Function 07A6B718 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f75c45d1a1729996b15316c8689b5cc8068e7ba08e8ad38cf83f3a6e791e87bd
                                          • Instruction ID: 6701c7e1348c531a18b37ffef8016e5879de9ac0747cf3c331057199456f1a62
                                          • Opcode Fuzzy Hash: f75c45d1a1729996b15316c8689b5cc8068e7ba08e8ad38cf83f3a6e791e87bd
                                          • Instruction Fuzzy Hash: 57E1F6B4E101198FCB14CFA9C5949AEBBF2FF89305F2481A9D418AB355D734AD42CFA1
                                          Function 07A6D630 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed00fc6244e4ae05ba426eb1118da2069981ae781c36c1fefb615331e6234708
                                          • Instruction ID: fa7a2e46eb30d52671b8547b4c33d85d8a73573514b22c6b7c5adc48f5381208
                                          • Opcode Fuzzy Hash: ed00fc6244e4ae05ba426eb1118da2069981ae781c36c1fefb615331e6234708
                                          • Instruction Fuzzy Hash: 26E1D7B4E011198FCB14CFA9C5849AEBBF2FF89305F248169D818AB355D734AD42CFA1
                                          Function 07A62578 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0b0c0fd95112340fe2c5e43abafe308801d2f57c74b44a868bdccdde7ce5903
                                          • Instruction ID: 71f5020b0c95be8780f49bf351aef3774b44802c6a48b40ed3817e26ea45cc49
                                          • Opcode Fuzzy Hash: f0b0c0fd95112340fe2c5e43abafe308801d2f57c74b44a868bdccdde7ce5903
                                          • Instruction Fuzzy Hash: A7E1D9B4E001198FCB14DFA9C594AAEFBB2FF89305F248169D814AB355D734AD81CFA1
                                          Function 07A620B8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb948aef2b9b6e710932115a18dc11c36f50f6f2d3b08a180b3c095bf7849305
                                          • Instruction ID: 8dba5df907d9d30a90d1819196f71855be931011e77afe213287ccee68ce1468
                                          • Opcode Fuzzy Hash: eb948aef2b9b6e710932115a18dc11c36f50f6f2d3b08a180b3c095bf7849305
                                          • Instruction Fuzzy Hash: 5DE1EAB4E001198FDB14CFA9C594AAEFBB2FF89305F248169D414AB355D734AD82CF61
                                          Function 07A6BF88 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9560a6e6ec97339de8a767106137c7ebc447a748cd86a0b4b26902141445905b
                                          • Instruction ID: 7bfba3f3bd57769a4e51c686bd3f73b953b95fb7a581b455061c4e90272b925f
                                          • Opcode Fuzzy Hash: 9560a6e6ec97339de8a767106137c7ebc447a748cd86a0b4b26902141445905b
                                          • Instruction Fuzzy Hash: E9E1D7B4E001198FCB14DFA9C5849AEFBF2FF89314F248169D854AB355D734A982CFA1
                                          Function 07A62E28 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7564710afeab13102fc2d927e88154135b380614b7afd0313966e427b366d2ea
                                          • Instruction ID: 516328561a876ba4b0a470ce7e1ad7c986deca02006d9c63d1f6e4f7d1ca40c1
                                          • Opcode Fuzzy Hash: 7564710afeab13102fc2d927e88154135b380614b7afd0313966e427b366d2ea
                                          • Instruction Fuzzy Hash: 88E1E9B4E001198FCB14DFA9C5949AEFBB2FF89305F2481A9D414AB355D731AD82CFA0
                                          Function 07A6BB50 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 565746525f8241a501724694bc183356f50ff993f04010d0a2a4e49a473ea75f
                                          • Instruction ID: 704adc1a951bc7f18ad9c22edde5edb4b2e92955b8be42ea09ad40ea8323f17f
                                          • Opcode Fuzzy Hash: 565746525f8241a501724694bc183356f50ff993f04010d0a2a4e49a473ea75f
                                          • Instruction Fuzzy Hash: BEE1E6B4E011198FCB14CFA9C5949AEBBF2FF89304F2481A9D918AB355D734AD42CF61
                                          Function 07A6DA68 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73fe6ed0e0fea1bd6feed88b0ab16be6c305e200f4a569ac6bc75ff192d4d2f5
                                          • Instruction ID: b3566751e5d7f59639de4776dbb2f65fa1b89cdd7a748db4c8864e6265358ea3
                                          • Opcode Fuzzy Hash: 73fe6ed0e0fea1bd6feed88b0ab16be6c305e200f4a569ac6bc75ff192d4d2f5
                                          • Instruction Fuzzy Hash: DFE1D6B4E011198FCB14DFA9C5949AEBBF2FF89304F248169D814AB355D734AD82CFA1
                                          Function 0314D304 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1721633670.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3140000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f60f51acb08d4033c22c9549a996b05ec698d7931981af3de2b8ef3e04c6953
                                          • Instruction ID: 2d120191f6b44183d62f59a6dada9c8b37b02e6afe7c0954e39d5919cdf775da
                                          • Opcode Fuzzy Hash: 6f60f51acb08d4033c22c9549a996b05ec698d7931981af3de2b8ef3e04c6953
                                          • Instruction Fuzzy Hash: 6CA17C36A002098FCF19DFB4C94459EB7B2FF89300B1585AAE905AF365DB35E946CB50
                                          Function 058E0006 Relevance: .2, Instructions: 235COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726283184.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_58e0000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a439041970c7a33642d5ff5b527442ab0bae7c9b8d5838fe10713d34362a5b9
                                          • Instruction ID: 2000a5101456df6eaa92ef765ae42bb17de094e7de573ced2691b8c3f2598d30
                                          • Opcode Fuzzy Hash: 9a439041970c7a33642d5ff5b527442ab0bae7c9b8d5838fe10713d34362a5b9
                                          • Instruction Fuzzy Hash: E6C138B05017468BD719EF24EC4C1893BB7BB8A364F504709D2616F2E9EBB414CACF64
                                          Function 07A652B0 Relevance: .2, Instructions: 169COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b745b8bb4f7aea8a8f11fdd4d1769d36d02a75325e93fd7c31ef0b13d950cb8a
                                          • Instruction ID: 511b2fc14ae05747a6de5a5240b9ea5c01305de899cb1145e4c55d1da6511908
                                          • Opcode Fuzzy Hash: b745b8bb4f7aea8a8f11fdd4d1769d36d02a75325e93fd7c31ef0b13d950cb8a
                                          • Instruction Fuzzy Hash: 897182B5E016198FCB04DFAAC5849AEFBF2BF89310F24D166D418AB355D734A942CF50
                                          Function 07A6D621 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78b616b2d26f14d75ea6cdaaf2d93463fa166ddf98a5fe9f0419ff2af28aeb68
                                          • Instruction ID: bb6c498680b5c696be444cbf1996a3a1b9b49726e0fac0b5abefe9ea9945f9d9
                                          • Opcode Fuzzy Hash: 78b616b2d26f14d75ea6cdaaf2d93463fa166ddf98a5fe9f0419ff2af28aeb68
                                          • Instruction Fuzzy Hash: 73510BB4E012198FCB14CFA9D5845AEFBF2FF89304F2481A9D418AB355D7349942CFA1
                                          Function 07A652A3 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5b7d23a30f0db879799098ba32210e0c4a2dee7a3ec9ba8702a156afb405067
                                          • Instruction ID: b71e2cd6cbec94eb67ed1331c318aac3c7da846c771df996ee8a685bdc8bb6a9
                                          • Opcode Fuzzy Hash: c5b7d23a30f0db879799098ba32210e0c4a2dee7a3ec9ba8702a156afb405067
                                          • Instruction Fuzzy Hash: 2E5192B5E006198FDB08CFAAC98459EFBF2BF89310F14C16AD819AB355DB345946CF50
                                          Function 07A6DA58 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3af70ace7d43c98f6ba0836a97313bb92b38755987b649eee8bd617a818388c
                                          • Instruction ID: 3f721460d8aa7bc8efd8aeaf0a30364ae71c48c47d00d4c9f505863db4abe84c
                                          • Opcode Fuzzy Hash: c3af70ace7d43c98f6ba0836a97313bb92b38755987b649eee8bd617a818388c
                                          • Instruction Fuzzy Hash: 0951F8B4E012198BCB14CFAAC9855AEFBF2FF89304F24C169D418AB355D7349942CFA1
                                          Function 07A6BF79 Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728045800.0000000007A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7a60000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61e2b5b9438081fea22a1e1856841baf826f4319ee28956abab11e6cbb3aa12
                                          • Instruction ID: 57fc5d003e8c912e042249727a8e499fdc5c9b4f8815e16f64e4ce86bddefaf3
                                          • Opcode Fuzzy Hash: c61e2b5b9438081fea22a1e1856841baf826f4319ee28956abab11e6cbb3aa12
                                          • Instruction Fuzzy Hash: 695109B4E002198BCB14CFAAC5855AEFBF2FF89314F24C169D458AB355D734A942CFA1
                                          Function 07F01962 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1728526280.0000000007F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7f00000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aba92ca98848881046310bac13fbf0e1e45140ad838502a7633ec4bf7e89f6a2
                                          • Instruction ID: 4068647a9c6d7a3c7f4b6c366caf4805615f01d0e751584693f818acfea3ef57
                                          • Opcode Fuzzy Hash: aba92ca98848881046310bac13fbf0e1e45140ad838502a7633ec4bf7e89f6a2
                                          • Instruction Fuzzy Hash: EA21FE31C18B578FC3169B78C84A058FBB1BFA2B6035403A9D174CA1E9EB7559D5CBC4
                                          Function 05930318 Relevance: 41.7, Strings: 33, Instructions: 439COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
                                          • API String ID: 0-2998797874
                                          • Opcode ID: dda72ce1653eee40f4d1eca3919f010fc7a3d97d5e2f61801f5ac07a67c5dd2c
                                          • Instruction ID: 9e1f57fbd9a3dea1da80e8a3046cb2fdbc725eb3d8407c5141956d1abf990d80
                                          • Opcode Fuzzy Hash: dda72ce1653eee40f4d1eca3919f010fc7a3d97d5e2f61801f5ac07a67c5dd2c
                                          • Instruction Fuzzy Hash: 9112D170A0131A8FCB08FF7AF85169D77B2FB99304F504599D409AB268EB346D85CFA1
                                          Function 05930328 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1726414880.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_5930000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
                                          • API String ID: 0-2998797874
                                          • Opcode ID: 376e9ec1d00f1978f78e29d554b06c9cc738f29a3347f8241d1f075873223f60
                                          • Instruction ID: 5c04f9bc986d1b2e1bbcc22a83c7b643b7a0817e39a54f8ad21a81d5e1172de7
                                          • Opcode Fuzzy Hash: 376e9ec1d00f1978f78e29d554b06c9cc738f29a3347f8241d1f075873223f60
                                          • Instruction Fuzzy Hash: 6912C170A0121A8FCB08FF7AF95169D77B2FF98304F504599D409AB268EB346D85CFA1
                                          Function 0752EC10 Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'dq$Hhq$$dq$$dq
                                          • API String ID: 0-1309887725
                                          • Opcode ID: 03e8db454336d0a23c3c17276f634294e640385d3fd6753f467512a769e2ae55
                                          • Instruction ID: b85ea1a4791703bfba16651e98d2fe6c88a53a982a4e9552702fba6cda4b502e
                                          • Opcode Fuzzy Hash: 03e8db454336d0a23c3c17276f634294e640385d3fd6753f467512a769e2ae55
                                          • Instruction Fuzzy Hash: F25102B47042264BDB596A79586A2BE3B97BFC760071C086ED803CB3D0DE78CD439392
                                          Function 07529960 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1727070445.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7520000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \;dq$\;dq$\;dq$\;dq
                                          • API String ID: 0-1855092343
                                          • Opcode ID: dab1182da1bedad313fc90417dfe787f80f5c238abcc6fc74e9fa19deff23b50
                                          • Instruction ID: 061851d7096ce37e6ed3d90a17a79c7b918a6bf0b7f9a38f6a4d3d878b53d8db
                                          • Opcode Fuzzy Hash: dab1182da1bedad313fc90417dfe787f80f5c238abcc6fc74e9fa19deff23b50
                                          • Instruction Fuzzy Hash: 5501D2B13101358F8B108A2DC440AA673EABFCA3B1B34406AD805DB3E4DB21EC429751

                                          Execution Graph

                                          Execution Coverage:2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:1.8%
                                          Total number of Nodes:740
                                          Total number of Limit Nodes:17
                                          execution_graph 46506 434887 46507 434893 CallCatchBlock 46506->46507 46533 434596 46507->46533 46509 43489a 46511 4348c3 46509->46511 46821 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46509->46821 46519 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46511->46519 46822 444251 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46511->46822 46513 4348dc 46515 4348e2 CallCatchBlock 46513->46515 46823 4441f5 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46513->46823 46516 434962 46544 434b14 46516->46544 46519->46516 46824 4433e7 35 API calls 4 library calls 46519->46824 46526 434984 46527 43498e 46526->46527 46826 44341f 28 API calls _abort 46526->46826 46529 434997 46527->46529 46827 4433c2 28 API calls _abort 46527->46827 46828 43470d 13 API calls 2 library calls 46529->46828 46532 43499f 46532->46515 46534 43459f 46533->46534 46829 434c52 IsProcessorFeaturePresent 46534->46829 46536 4345ab 46830 438f31 10 API calls 4 library calls 46536->46830 46538 4345b0 46543 4345b4 46538->46543 46831 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46538->46831 46540 4345bd 46541 4345cb 46540->46541 46832 438f5a 8 API calls 3 library calls 46540->46832 46541->46509 46543->46509 46833 436e90 46544->46833 46547 434968 46548 4441a2 46547->46548 46835 44f059 46548->46835 46550 434971 46553 40e9c5 46550->46553 46551 4441ab 46551->46550 46839 446815 35 API calls 46551->46839 46841 41cb50 LoadLibraryA GetProcAddress 46553->46841 46555 40e9e1 GetModuleFileNameW 46846 40f3c3 46555->46846 46557 40e9fd 46861 4020f6 46557->46861 46560 4020f6 28 API calls 46561 40ea1b 46560->46561 46867 41be1b 46561->46867 46565 40ea2d 46893 401e8d 46565->46893 46567 40ea36 46568 40ea93 46567->46568 46569 40ea49 46567->46569 46899 401e65 46568->46899 47098 40fbb3 95 API calls 46569->47098 46572 40ea5b 46574 401e65 22 API calls 46572->46574 46573 40eaa3 46576 401e65 22 API calls 46573->46576 46575 40ea67 46574->46575 47099 410f37 36 API calls __EH_prolog 46575->47099 46577 40eac2 46576->46577 46904 40531e 46577->46904 46580 40ead1 46909 406383 46580->46909 46581 40ea79 47100 40fb64 77 API calls 46581->47100 46585 40ea82 47101 40f3b0 70 API calls 46585->47101 46591 401fd8 11 API calls 46593 40eefb 46591->46593 46592 401fd8 11 API calls 46594 40eafb 46592->46594 46825 4432f6 GetModuleHandleW 46593->46825 46595 401e65 22 API calls 46594->46595 46596 40eb04 46595->46596 46926 401fc0 46596->46926 46598 40eb0f 46599 401e65 22 API calls 46598->46599 46600 40eb28 46599->46600 46601 401e65 22 API calls 46600->46601 46602 40eb43 46601->46602 46603 40ebae 46602->46603 47102 406c1e 28 API calls 46602->47102 46604 401e65 22 API calls 46603->46604 46611 40ebbb 46604->46611 46606 40eb70 46607 401fe2 28 API calls 46606->46607 46608 40eb7c 46607->46608 46609 401fd8 11 API calls 46608->46609 46612 40eb85 46609->46612 46610 40ec02 46930 40d069 46610->46930 46611->46610 46616 413549 3 API calls 46611->46616 47103 413549 RegOpenKeyExA 46612->47103 46614 40ec08 46615 40ea8b 46614->46615 46933 41b2c3 46614->46933 46615->46591 46622 40ebe6 46616->46622 46620 40f34f 47140 4139a9 30 API calls 46620->47140 46621 40ec23 46623 40ec76 46621->46623 46950 407716 46621->46950 46622->46610 47106 4139a9 30 API calls 46622->47106 46625 401e65 22 API calls 46623->46625 46628 40ec7f 46625->46628 46637 40ec90 46628->46637 46638 40ec8b 46628->46638 46630 40f365 47141 412475 65 API calls ___scrt_get_show_window_mode 46630->47141 46631 40ec42 47107 407738 30 API calls 46631->47107 46632 40ec4c 46635 401e65 22 API calls 46632->46635 46646 40ec55 46635->46646 46636 40f34d 46640 41bc5e 28 API calls 46636->46640 46644 401e65 22 API calls 46637->46644 47110 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46638->47110 46639 40ec47 47108 407260 97 API calls 46639->47108 46641 40f37f 46640->46641 47142 413a23 RegOpenKeyExW RegDeleteValueW 46641->47142 46645 40ec99 46644->46645 46954 41bc5e 46645->46954 46646->46623 46651 40ec71 46646->46651 46649 40eca4 46958 401f13 46649->46958 47109 407260 97 API calls 46651->47109 46652 40f392 46655 401f09 11 API calls 46652->46655 46657 40f39c 46655->46657 46659 401f09 11 API calls 46657->46659 46661 40f3a5 46659->46661 46660 401e65 22 API calls 46662 40ecc1 46660->46662 47143 40dd42 27 API calls 46661->47143 46666 401e65 22 API calls 46662->46666 46664 40f3aa 47144 414f2a 167 API calls 46664->47144 46668 40ecdb 46666->46668 46669 401e65 22 API calls 46668->46669 46670 40ecf5 46669->46670 46671 401e65 22 API calls 46670->46671 46673 40ed0e 46671->46673 46672 40ed7b 46675 40ed8a 46672->46675 46680 40ef06 ___scrt_get_show_window_mode 46672->46680 46673->46672 46674 401e65 22 API calls 46673->46674 46678 40ed23 _wcslen 46674->46678 46676 401e65 22 API calls 46675->46676 46682 40ee0f 46675->46682 46677 40ed9c 46676->46677 46679 401e65 22 API calls 46677->46679 46678->46672 46683 401e65 22 API calls 46678->46683 46681 40edae 46679->46681 47113 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46680->47113 46686 401e65 22 API calls 46681->46686 46704 40ee0a ___scrt_get_show_window_mode 46682->46704 46684 40ed3e 46683->46684 46687 401e65 22 API calls 46684->46687 46688 40edc0 46686->46688 46689 40ed53 46687->46689 46691 401e65 22 API calls 46688->46691 46970 40da34 46689->46970 46690 40ef51 46692 401e65 22 API calls 46690->46692 46694 40ede9 46691->46694 46695 40ef76 46692->46695 46700 401e65 22 API calls 46694->46700 47114 402093 46695->47114 46697 401f13 28 API calls 46699 40ed72 46697->46699 46702 401f09 11 API calls 46699->46702 46703 40edfa 46700->46703 46701 40ef88 47120 41376f 14 API calls 46701->47120 46702->46672 47028 40cdf9 46703->47028 46704->46682 47111 413947 31 API calls 46704->47111 46708 40ef9e 46710 401e65 22 API calls 46708->46710 46709 40eea3 ctype 46712 401e65 22 API calls 46709->46712 46711 40efaa 46710->46711 47121 43baac 39 API calls _swprintf 46711->47121 46715 40eeba 46712->46715 46714 40efb7 46716 40efe4 46714->46716 47122 41cd9b 86 API calls ___scrt_get_show_window_mode 46714->47122 46715->46690 46717 401e65 22 API calls 46715->46717 46721 402093 28 API calls 46716->46721 46718 40eed7 46717->46718 46722 41bc5e 28 API calls 46718->46722 46720 40efc8 CreateThread 46720->46716 47417 41d45d 10 API calls 46720->47417 46723 40eff9 46721->46723 46724 40eee3 46722->46724 46725 402093 28 API calls 46723->46725 47112 40f474 103 API calls 46724->47112 46727 40f008 46725->46727 47123 41b4ef 79 API calls 46727->47123 46728 40eee8 46728->46690 46730 40eeef 46728->46730 46730->46615 46731 40f00d 46732 401e65 22 API calls 46731->46732 46733 40f019 46732->46733 46734 401e65 22 API calls 46733->46734 46735 40f02b 46734->46735 46736 401e65 22 API calls 46735->46736 46737 40f04b 46736->46737 47124 43baac 39 API calls _swprintf 46737->47124 46739 40f058 46740 401e65 22 API calls 46739->46740 46741 40f063 46740->46741 46742 401e65 22 API calls 46741->46742 46743 40f074 46742->46743 46744 401e65 22 API calls 46743->46744 46745 40f089 46744->46745 46746 401e65 22 API calls 46745->46746 46747 40f09a 46746->46747 46748 40f0a1 StrToIntA 46747->46748 47125 409de4 169 API calls _wcslen 46748->47125 46750 40f0b3 46751 401e65 22 API calls 46750->46751 46753 40f0bc 46751->46753 46752 40f101 46756 401e65 22 API calls 46752->46756 46753->46752 47126 4344ea 46753->47126 46761 40f111 46756->46761 46757 401e65 22 API calls 46758 40f0e4 46757->46758 46759 40f0eb CreateThread 46758->46759 46759->46752 47419 419fb4 102 API calls __EH_prolog 46759->47419 46760 40f159 46762 401e65 22 API calls 46760->46762 46761->46760 46763 4344ea new 22 API calls 46761->46763 46768 40f162 46762->46768 46764 40f126 46763->46764 46765 401e65 22 API calls 46764->46765 46766 40f138 46765->46766 46769 40f13f CreateThread 46766->46769 46767 40f1cc 46770 401e65 22 API calls 46767->46770 46768->46767 46771 401e65 22 API calls 46768->46771 46769->46760 47418 419fb4 102 API calls __EH_prolog 46769->47418 46773 40f1d5 46770->46773 46772 40f17e 46771->46772 46775 401e65 22 API calls 46772->46775 46774 40f21a 46773->46774 46777 401e65 22 API calls 46773->46777 47136 41b60d 79 API calls 46774->47136 46778 40f193 46775->46778 46780 40f1ea 46777->46780 47133 40d9e8 31 API calls 46778->47133 46779 40f223 46781 401f13 28 API calls 46779->46781 46784 401e65 22 API calls 46780->46784 46783 40f22e 46781->46783 46786 401f09 11 API calls 46783->46786 46787 40f1ff 46784->46787 46785 40f1a6 46788 401f13 28 API calls 46785->46788 46789 40f237 CreateThread 46786->46789 47134 43baac 39 API calls _swprintf 46787->47134 46790 40f1b2 46788->46790 46792 40f264 46789->46792 46793 40f258 CreateThread 46789->46793 47420 40f7a7 120 API calls 46789->47420 46794 401f09 11 API calls 46790->46794 46795 40f279 46792->46795 46796 40f26d CreateThread 46792->46796 46793->46792 46798 40f1bb CreateThread 46794->46798 46800 40f2cc 46795->46800 46802 402093 28 API calls 46795->46802 46796->46795 47421 4126db 38 API calls ___scrt_get_show_window_mode 46796->47421 46798->46767 47422 401be9 49 API calls 46798->47422 46799 40f20c 47135 40c162 7 API calls 46799->47135 47138 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 46800->47138 46803 40f29c 46802->46803 47137 4052fd 28 API calls 46803->47137 46806 40f2e4 46806->46661 46809 41bc5e 28 API calls 46806->46809 46812 40f2fd 46809->46812 47139 41361b 31 API calls 46812->47139 46816 40f313 46817 401f09 11 API calls 46816->46817 46819 40f31e 46817->46819 46818 40f346 DeleteFileW 46818->46636 46818->46819 46819->46636 46819->46818 46820 40f334 Sleep 46819->46820 46820->46819 46821->46509 46822->46513 46823->46519 46824->46516 46825->46526 46826->46527 46827->46529 46828->46532 46829->46536 46830->46538 46831->46540 46832->46543 46834 434b27 GetStartupInfoW 46833->46834 46834->46547 46836 44f06b 46835->46836 46837 44f062 46835->46837 46836->46551 46840 44ef58 48 API calls 4 library calls 46837->46840 46839->46551 46840->46836 46842 41cb8f LoadLibraryA GetProcAddress 46841->46842 46843 41cb7f GetModuleHandleA GetProcAddress 46841->46843 46844 41cbb8 44 API calls 46842->46844 46845 41cba8 LoadLibraryA GetProcAddress 46842->46845 46843->46842 46844->46555 46845->46844 47145 41b4a8 FindResourceA 46846->47145 46850 40f3ed _Yarn 47155 4020b7 46850->47155 46853 401fe2 28 API calls 46854 40f413 46853->46854 46855 401fd8 11 API calls 46854->46855 46856 40f41c 46855->46856 46857 43bd51 _Yarn 21 API calls 46856->46857 46858 40f42d _Yarn 46857->46858 47161 406dd8 46858->47161 46860 40f460 46860->46557 46862 40210c 46861->46862 46863 4023ce 11 API calls 46862->46863 46864 402126 46863->46864 46865 402569 28 API calls 46864->46865 46866 402134 46865->46866 46866->46560 47215 4020df 46867->47215 46869 401fd8 11 API calls 46870 41bed0 46869->46870 46871 401fd8 11 API calls 46870->46871 46873 41bed8 46871->46873 46872 41bea0 47221 4041a2 28 API calls 46872->47221 46876 401fd8 11 API calls 46873->46876 46878 40ea24 46876->46878 46877 41beac 46879 401fe2 28 API calls 46877->46879 46889 40fb17 46878->46889 46881 41beb5 46879->46881 46880 401fe2 28 API calls 46882 41be2e 46880->46882 46883 401fd8 11 API calls 46881->46883 46882->46872 46882->46880 46884 401fd8 11 API calls 46882->46884 46888 41be9e 46882->46888 47219 4041a2 28 API calls 46882->47219 47220 41ce34 28 API calls 46882->47220 46885 41bebd 46883->46885 46884->46882 47222 41ce34 28 API calls 46885->47222 46888->46869 46890 40fb23 46889->46890 46892 40fb2a 46889->46892 47223 402163 11 API calls 46890->47223 46892->46565 46894 402163 46893->46894 46898 40219f 46894->46898 47224 402730 11 API calls 46894->47224 46896 402184 47225 402712 11 API calls std::_Deallocate 46896->47225 46898->46567 46900 401e6d 46899->46900 46902 401e75 46900->46902 47226 402158 22 API calls 46900->47226 46902->46573 46905 4020df 11 API calls 46904->46905 46906 40532a 46905->46906 47227 4032a0 46906->47227 46908 405346 46908->46580 47231 4051ef 46909->47231 46911 406391 47235 402055 46911->47235 46914 401fe2 46915 401ff1 46914->46915 46916 402039 46914->46916 46917 4023ce 11 API calls 46915->46917 46923 401fd8 46916->46923 46918 401ffa 46917->46918 46919 40203c 46918->46919 46920 402015 46918->46920 46921 40267a 11 API calls 46919->46921 47250 403098 28 API calls 46920->47250 46921->46916 46924 4023ce 11 API calls 46923->46924 46925 401fe1 46924->46925 46925->46592 46927 401fd2 46926->46927 46928 401fc9 46926->46928 46927->46598 47251 4025e0 28 API calls 46928->47251 47252 401fab 46930->47252 46932 40d073 CreateMutexA GetLastError 46932->46614 47253 41bfb7 46933->47253 46938 401fe2 28 API calls 46939 41b2ff 46938->46939 46940 401fd8 11 API calls 46939->46940 46941 41b307 46940->46941 46942 4135a6 31 API calls 46941->46942 46944 41b35d 46941->46944 46943 41b330 46942->46943 46945 41b33b StrToIntA 46943->46945 46944->46621 46946 41b352 46945->46946 46947 41b349 46945->46947 46949 401fd8 11 API calls 46946->46949 47261 41cf69 22 API calls 46947->47261 46949->46944 46951 40772a 46950->46951 46952 413549 3 API calls 46951->46952 46953 407731 46952->46953 46953->46631 46953->46632 46955 41bc72 46954->46955 47262 40b904 46955->47262 46957 41bc7a 46957->46649 46959 401f22 46958->46959 46966 401f6a 46958->46966 46960 402252 11 API calls 46959->46960 46961 401f2b 46960->46961 46962 401f6d 46961->46962 46964 401f46 46961->46964 47295 402336 46962->47295 47294 40305c 28 API calls 46964->47294 46967 401f09 46966->46967 46968 402252 11 API calls 46967->46968 46969 401f12 46968->46969 46969->46660 47299 401f86 46970->47299 46973 40da70 47309 41b5b4 29 API calls 46973->47309 46974 40daa5 46978 41bfb7 GetCurrentProcess 46974->46978 46975 40da66 46977 40db99 GetLongPathNameW 46975->46977 47303 40417e 46977->47303 46981 40daaa 46978->46981 46979 40da79 46982 401f13 28 API calls 46979->46982 46984 40db00 46981->46984 46985 40daae 46981->46985 46986 40da83 46982->46986 46988 40417e 28 API calls 46984->46988 46989 40417e 28 API calls 46985->46989 46993 401f09 11 API calls 46986->46993 46987 40417e 28 API calls 46990 40dbbd 46987->46990 46991 40db0e 46988->46991 46992 40dabc 46989->46992 47312 40ddd1 28 API calls 46990->47312 46996 40417e 28 API calls 46991->46996 46997 40417e 28 API calls 46992->46997 46993->46975 46995 40dbd0 47313 402fa5 28 API calls 46995->47313 47000 40db24 46996->47000 47001 40dad2 46997->47001 46999 40dbdb 47314 402fa5 28 API calls 46999->47314 47311 402fa5 28 API calls 47000->47311 47310 402fa5 28 API calls 47001->47310 47005 40dbe5 47008 401f09 11 API calls 47005->47008 47006 40db2f 47009 401f13 28 API calls 47006->47009 47007 40dadd 47010 401f13 28 API calls 47007->47010 47011 40dbef 47008->47011 47012 40db3a 47009->47012 47013 40dae8 47010->47013 47014 401f09 11 API calls 47011->47014 47015 401f09 11 API calls 47012->47015 47016 401f09 11 API calls 47013->47016 47017 40dbf8 47014->47017 47018 40db43 47015->47018 47019 40daf1 47016->47019 47020 401f09 11 API calls 47017->47020 47021 401f09 11 API calls 47018->47021 47022 401f09 11 API calls 47019->47022 47023 40dc01 47020->47023 47021->46986 47022->46986 47024 401f09 11 API calls 47023->47024 47025 40dc0a 47024->47025 47026 401f09 11 API calls 47025->47026 47027 40dc13 47026->47027 47027->46697 47029 40ce0c _wcslen 47028->47029 47030 40ce60 47029->47030 47031 40ce16 47029->47031 47032 40da34 31 API calls 47030->47032 47034 40ce1f CreateDirectoryW 47031->47034 47033 40ce72 47032->47033 47035 401f13 28 API calls 47033->47035 47316 40915b 47034->47316 47045 40ce5e 47035->47045 47037 40ce3b 47350 403014 47037->47350 47038 401f09 11 API calls 47044 40ce89 47038->47044 47041 401f13 28 API calls 47042 40ce55 47041->47042 47043 401f09 11 API calls 47042->47043 47043->47045 47046 40cea2 47044->47046 47047 40cebf 47044->47047 47045->47038 47050 40cd0d 31 API calls 47046->47050 47048 40cec8 CopyFileW 47047->47048 47049 40cf99 47048->47049 47051 40ceda _wcslen 47048->47051 47323 40cd0d 47049->47323 47081 40ceb3 47050->47081 47051->47049 47053 40cef6 47051->47053 47054 40cf49 47051->47054 47057 40da34 31 API calls 47053->47057 47056 40da34 31 API calls 47054->47056 47061 40cf4f 47056->47061 47062 40cefc 47057->47062 47058 40cfb3 47066 40cfbc SetFileAttributesW 47058->47066 47059 40cfdf 47060 40d027 CloseHandle 47059->47060 47063 40417e 28 API calls 47059->47063 47349 401f04 47060->47349 47064 401f13 28 API calls 47061->47064 47065 401f13 28 API calls 47062->47065 47069 40cff5 47063->47069 47070 40cf43 47064->47070 47071 40cf08 47065->47071 47080 40cfcb _wcslen 47066->47080 47068 40d043 ShellExecuteW 47072 40d060 ExitProcess 47068->47072 47073 40d056 47068->47073 47074 41bc5e 28 API calls 47069->47074 47078 401f09 11 API calls 47070->47078 47075 401f09 11 API calls 47071->47075 47076 40d069 CreateMutexA GetLastError 47073->47076 47077 40d008 47074->47077 47079 40cf11 47075->47079 47076->47081 47356 413814 RegCreateKeyW 47077->47356 47082 40cf61 47078->47082 47083 40915b 28 API calls 47079->47083 47080->47059 47085 40cfdc SetFileAttributesW 47080->47085 47081->46704 47086 40cf6d CreateDirectoryW 47082->47086 47084 40cf25 47083->47084 47087 403014 28 API calls 47084->47087 47085->47059 47355 401f04 47086->47355 47090 40cf31 47087->47090 47093 401f13 28 API calls 47090->47093 47096 40cf3a 47093->47096 47094 401f09 11 API calls 47094->47060 47097 401f09 11 API calls 47096->47097 47097->47070 47098->46572 47099->46581 47100->46585 47102->46606 47104 40eba4 47103->47104 47105 413573 RegQueryValueExA RegCloseKey 47103->47105 47104->46603 47104->46620 47105->47104 47106->46610 47107->46639 47108->46632 47109->46623 47110->46637 47111->46709 47112->46728 47113->46690 47115 40209b 47114->47115 47116 4023ce 11 API calls 47115->47116 47117 4020a6 47116->47117 47409 4024ed 47117->47409 47120->46708 47121->46714 47122->46720 47123->46731 47124->46739 47125->46750 47128 4344ef 47126->47128 47127 43bd51 _Yarn 21 API calls 47127->47128 47128->47127 47129 40f0d1 47128->47129 47413 442f80 7 API calls 2 library calls 47128->47413 47414 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47128->47414 47415 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47128->47415 47129->46757 47133->46785 47134->46799 47135->46774 47136->46779 47138->46806 47139->46816 47140->46630 47142->46652 47143->46664 47416 41ad17 104 API calls 47144->47416 47146 41b4c5 LoadResource LockResource SizeofResource 47145->47146 47147 40f3de 47145->47147 47146->47147 47148 43bd51 47147->47148 47153 446137 ___crtLCMapStringA 47148->47153 47149 446175 47165 4405dd 20 API calls _free 47149->47165 47150 446160 RtlAllocateHeap 47152 446173 47150->47152 47150->47153 47152->46850 47153->47149 47153->47150 47164 442f80 7 API calls 2 library calls 47153->47164 47156 4020bf 47155->47156 47166 4023ce 47156->47166 47158 4020ca 47170 40250a 47158->47170 47160 4020d9 47160->46853 47162 4020b7 28 API calls 47161->47162 47163 406dec 47162->47163 47163->46860 47164->47153 47165->47152 47167 402428 47166->47167 47168 4023d8 47166->47168 47167->47158 47168->47167 47177 4027a7 11 API calls std::_Deallocate 47168->47177 47171 40251a 47170->47171 47172 402520 47171->47172 47173 402535 47171->47173 47178 402569 47172->47178 47188 4028e8 47173->47188 47176 402533 47176->47160 47177->47167 47199 402888 47178->47199 47180 40257d 47181 402592 47180->47181 47182 4025a7 47180->47182 47204 402a34 22 API calls 47181->47204 47184 4028e8 28 API calls 47182->47184 47187 4025a5 47184->47187 47185 40259b 47205 4029da 22 API calls 47185->47205 47187->47176 47189 4028f1 47188->47189 47190 402953 47189->47190 47191 4028fb 47189->47191 47213 4028a4 22 API calls 47190->47213 47194 402904 47191->47194 47197 402917 47191->47197 47207 402cae 47194->47207 47195 402915 47195->47176 47197->47195 47198 4023ce 11 API calls 47197->47198 47198->47195 47200 402890 47199->47200 47201 402898 47200->47201 47206 402ca3 22 API calls 47200->47206 47201->47180 47204->47185 47205->47187 47208 402cb8 __EH_prolog 47207->47208 47214 402e54 22 API calls 47208->47214 47210 4023ce 11 API calls 47212 402d92 47210->47212 47211 402d24 47211->47210 47212->47195 47214->47211 47216 4020e7 47215->47216 47217 4023ce 11 API calls 47216->47217 47218 4020f2 47217->47218 47218->46882 47219->46882 47220->46882 47221->46877 47222->46888 47223->46892 47224->46896 47225->46898 47229 4032aa 47227->47229 47228 4032c9 47228->46908 47229->47228 47230 4028e8 28 API calls 47229->47230 47230->47228 47232 4051fb 47231->47232 47241 405274 47232->47241 47234 405208 47234->46911 47236 402061 47235->47236 47237 4023ce 11 API calls 47236->47237 47238 40207b 47237->47238 47246 40267a 47238->47246 47242 405282 47241->47242 47245 4028a4 22 API calls 47242->47245 47247 40268b 47246->47247 47248 4023ce 11 API calls 47247->47248 47249 40208d 47248->47249 47249->46914 47250->46916 47251->46927 47254 41bfc4 GetCurrentProcess 47253->47254 47255 41b2d1 47253->47255 47254->47255 47256 4135a6 RegOpenKeyExA 47255->47256 47257 4135d4 RegQueryValueExA RegCloseKey 47256->47257 47258 4135fe 47256->47258 47257->47258 47259 402093 28 API calls 47258->47259 47260 413613 47259->47260 47260->46938 47261->46946 47263 40b90c 47262->47263 47268 402252 47263->47268 47265 40b917 47272 40b92c 47265->47272 47267 40b926 47267->46957 47269 4022ac 47268->47269 47270 40225c 47268->47270 47269->47265 47270->47269 47279 402779 11 API calls std::_Deallocate 47270->47279 47273 40b966 47272->47273 47274 40b938 47272->47274 47291 4028a4 22 API calls 47273->47291 47280 4027e6 47274->47280 47278 40b942 47278->47267 47279->47269 47281 4027ef 47280->47281 47282 402851 47281->47282 47283 4027f9 47281->47283 47293 4028a4 22 API calls 47282->47293 47286 402802 47283->47286 47289 402815 47283->47289 47292 402aea 28 API calls __EH_prolog 47286->47292 47288 402813 47288->47278 47289->47288 47290 402252 11 API calls 47289->47290 47290->47288 47292->47288 47294->46966 47296 402347 47295->47296 47297 402252 11 API calls 47296->47297 47298 4023c7 47297->47298 47298->46966 47300 401f8e 47299->47300 47301 402252 11 API calls 47300->47301 47302 401f99 47301->47302 47302->46973 47302->46974 47302->46975 47304 404186 47303->47304 47305 402252 11 API calls 47304->47305 47306 404191 47305->47306 47315 4041bc 28 API calls 47306->47315 47308 40419c 47308->46987 47309->46979 47310->47007 47311->47006 47312->46995 47313->46999 47314->47005 47315->47308 47317 401f86 11 API calls 47316->47317 47318 409167 47317->47318 47362 40314c 47318->47362 47320 409184 47366 40325d 47320->47366 47322 40918c 47322->47037 47324 40cd33 47323->47324 47326 40cd6f 47323->47326 47380 40b97c 47324->47380 47329 40cdb0 47326->47329 47330 40b97c 28 API calls 47326->47330 47328 40cdf1 47328->47058 47328->47059 47329->47328 47332 40b97c 28 API calls 47329->47332 47333 40cd86 47330->47333 47331 403014 28 API calls 47334 40cd4f 47331->47334 47335 40cdc7 47332->47335 47336 403014 28 API calls 47333->47336 47337 413814 14 API calls 47334->47337 47338 403014 28 API calls 47335->47338 47339 40cd90 47336->47339 47340 40cd63 47337->47340 47341 40cdd1 47338->47341 47342 413814 14 API calls 47339->47342 47344 401f09 11 API calls 47340->47344 47345 413814 14 API calls 47341->47345 47343 40cda4 47342->47343 47346 401f09 11 API calls 47343->47346 47344->47326 47347 40cde5 47345->47347 47346->47329 47348 401f09 11 API calls 47347->47348 47348->47328 47387 403222 47350->47387 47352 403022 47391 403262 47352->47391 47357 413866 47356->47357 47359 413829 47356->47359 47358 401f09 11 API calls 47357->47358 47360 40d01b 47358->47360 47361 413842 RegSetValueExW RegCloseKey 47359->47361 47360->47094 47361->47357 47363 403156 47362->47363 47364 403175 47363->47364 47365 4027e6 28 API calls 47363->47365 47364->47320 47365->47364 47367 40323f 47366->47367 47370 4036a6 47367->47370 47369 40324c 47369->47322 47371 402888 22 API calls 47370->47371 47372 4036b9 47371->47372 47373 40372c 47372->47373 47374 4036de 47372->47374 47379 4028a4 22 API calls 47373->47379 47377 4027e6 28 API calls 47374->47377 47378 4036f0 47374->47378 47377->47378 47378->47369 47381 401f86 11 API calls 47380->47381 47382 40b988 47381->47382 47383 40314c 28 API calls 47382->47383 47384 40b9a4 47383->47384 47385 40325d 28 API calls 47384->47385 47386 40b9b7 47385->47386 47386->47331 47388 40322e 47387->47388 47397 403618 47388->47397 47390 40323b 47390->47352 47392 40326e 47391->47392 47393 402252 11 API calls 47392->47393 47394 403288 47393->47394 47395 402336 11 API calls 47394->47395 47396 403031 47395->47396 47396->47041 47398 403626 47397->47398 47399 403644 47398->47399 47400 40362c 47398->47400 47401 40365c 47399->47401 47402 40369e 47399->47402 47403 4036a6 28 API calls 47400->47403 47404 403642 47401->47404 47407 4027e6 28 API calls 47401->47407 47408 4028a4 22 API calls 47402->47408 47403->47404 47404->47390 47407->47404 47410 4024f9 47409->47410 47411 40250a 28 API calls 47410->47411 47412 4020b1 47411->47412 47412->46701 47413->47128 47423 43be58 47426 43be64 _swprintf CallCatchBlock 47423->47426 47424 43be72 47439 4405dd 20 API calls _free 47424->47439 47426->47424 47427 43be9c 47426->47427 47434 445888 EnterCriticalSection 47427->47434 47429 43be77 CallCatchBlock __wsopen_s 47430 43bea7 47435 43bf48 47430->47435 47434->47430 47436 43bf56 47435->47436 47438 43beb2 47436->47438 47441 44976c 36 API calls 2 library calls 47436->47441 47440 43becf LeaveCriticalSection std::_Lockit::~_Lockit 47438->47440 47439->47429 47440->47429 47441->47436 47442 40165e 47443 401666 47442->47443 47444 401669 47442->47444 47445 4016a8 47444->47445 47448 401696 47444->47448 47446 4344ea new 22 API calls 47445->47446 47447 40169c 47446->47447 47449 4344ea new 22 API calls 47448->47449 47449->47447

                                          Executed Functions

                                          Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                          • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                          • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                          • API String ID: 4236061018-3687161714
                                          • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                          • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                          • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                          • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                          Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 89 40ec13-40ec1a 80->89 90 40ec0c-40ec0e 80->90 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 89->95 96 40ec1e-40ec2a call 41b2c3 89->96 94 40eef1 90->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 140->107 143 40ec69-40ec6f 140->143 143->107 147 40ec71 call 407260 143->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 271 40ee0a-40ee0d 184->271 191 40ee1e-40ee42 call 40247c call 434798 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 246 40ed66-40ed7b call 401f13 call 401f09 205->246 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 246->177 271->191 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 402 40f240 380->402 403 40f243-40f256 CreateThread 380->403 402->403 404 40f264-40f26b 403->404 405 40f258-40f262 CreateThread 403->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                          APIs
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                            • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                            • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                            • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000104), ref: 0040E9EE
                                            • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                          • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                          • API String ID: 2830904901-1062405016
                                          • Opcode ID: 495a12a90936515c81303a824c8f73eb8482a1d80021e6fc0d2378f6666dcd93
                                          • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                          • Opcode Fuzzy Hash: 495a12a90936515c81303a824c8f73eb8482a1d80021e6fc0d2378f6666dcd93
                                          • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                          Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • _wcslen.LIBCMT ref: 0040CE07
                                          • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                          • CopyFileW.KERNELBASE(C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                          • _wcslen.LIBCMT ref: 0040CEE6
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000000,00000000), ref: 0040CF84
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                          • _wcslen.LIBCMT ref: 0040CFC6
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                          • ExitProcess.KERNEL32 ref: 0040D062
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                          • String ID: 6$C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe$del$open
                                          • API String ID: 1579085052-1187059730
                                          • Opcode ID: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                          • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                          • Opcode Fuzzy Hash: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                          • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                          Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LongNamePath
                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 82841172-425784914
                                          • Opcode ID: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                          • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                          • Opcode Fuzzy Hash: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                          • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                          Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                            • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                            • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                            • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                          • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCurrentOpenProcessQueryValue
                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 1866151309-2070987746
                                          • Opcode ID: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                          • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                          • Opcode Fuzzy Hash: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                          • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                          Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 660 413868-413876 call 401f09 657->660 658->660
                                          APIs
                                          • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                          • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 0041384D
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 1818849710-1051519024
                                          • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                          • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                          • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                          • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                          Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                          APIs
                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                          • GetLastError.KERNEL32 ref: 0040D083
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateErrorLastMutex
                                          • String ID: SG
                                          • API String ID: 1925916568-3189917014
                                          • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                          • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                          • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                          • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                          Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 669 4135a6-4135d2 RegOpenKeyExA 670 4135d4-4135fc RegQueryValueExA RegCloseKey 669->670 671 413607 669->671 672 413609 670->672 673 4135fe-413605 670->673 671->672 674 41360e-41361a call 402093 672->674 673->674
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                          • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                          • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                          • Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                          • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                          Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 677 413549-413571 RegOpenKeyExA 678 4135a0 677->678 679 413573-41359e RegQueryValueExA RegCloseKey 677->679 680 4135a2-4135a5 678->680 679->680
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                          • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                          • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 4344ea 685->687 686->687 689 40168f-401694 686->689 690 4016ae-4016af 687->690 689->684 691 401696-4016a6 call 4344ea 689->691 692 4016b1-4016b3 690->692 691->692
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                          • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                          • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                          • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                          Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 723 446137-446143 724 446175-446180 call 4405dd 723->724 725 446145-446147 723->725 732 446182-446184 724->732 726 446160-446171 RtlAllocateHeap 725->726 727 446149-44614a 725->727 730 446173 726->730 731 44614c-446153 call 445545 726->731 727->726 730->732 731->724 735 446155-44615e call 442f80 731->735 735->724 735->726
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                          • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                          • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                          • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                                          Non-executed Functions

                                          Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                            • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                            • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                            • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                          • DeleteFileA.KERNEL32(?), ref: 00408652
                                            • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                            • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                            • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                            • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                          • Sleep.KERNEL32(000007D0), ref: 004086F8
                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                            • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                          • API String ID: 1067849700-181434739
                                          • Opcode ID: ed1bd2f71bf4913d82fc68c669dd054f55d693d56a0d5578707dbe8f2441d685
                                          • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                          • Opcode Fuzzy Hash: ed1bd2f71bf4913d82fc68c669dd054f55d693d56a0d5578707dbe8f2441d685
                                          • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                          • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                          • CloseHandle.KERNEL32 ref: 00405A23
                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                          • CloseHandle.KERNEL32 ref: 00405A45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                          • API String ID: 2994406822-18413064
                                          • Opcode ID: 9fdb2614b32db6a8ce990b4168d70707e98bdb19d6332ad615b030cef840106b
                                          • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                          • Opcode Fuzzy Hash: 9fdb2614b32db6a8ce990b4168d70707e98bdb19d6332ad615b030cef840106b
                                          • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                          Function 00412117 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 227threadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                            • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                          • CloseHandle.KERNEL32(00000000), ref: 00412155
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000127EE,00000000,00000000,00000000), ref: 004121AB
                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateOpen$HandleMutexProcessThreadValue
                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                          • API String ID: 261377708-13974260
                                          • Opcode ID: 390b1a02c75fda0ce3305a4ad7333e335e8ad420acfc0a8a1f0d56aaabd3b728
                                          • Instruction ID: 5044532447ce4e70f722e285ad7bc5f912dfeea71c25201e33dbc8cc77036b6f
                                          • Opcode Fuzzy Hash: 390b1a02c75fda0ce3305a4ad7333e335e8ad420acfc0a8a1f0d56aaabd3b728
                                          • Instruction Fuzzy Hash: 8171823160430167C618FB72CD579AE73A4AED0308F50057FF546A61E2FFBC9949C69A
                                          Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                          • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                          • FindClose.KERNEL32(00000000), ref: 0040BD12
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 1164774033-3681987949
                                          • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                          • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                          • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                          • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                          Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 004168C2
                                          • EmptyClipboard.USER32 ref: 004168D0
                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                          • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                          • CloseClipboard.USER32 ref: 00416955
                                          • OpenClipboard.USER32 ref: 0041695C
                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                          • CloseClipboard.USER32 ref: 00416984
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                          • String ID: !D@
                                          • API String ID: 3520204547-604454484
                                          • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                          • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                          • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                          • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                          Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                          • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                          • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                          • FindClose.KERNEL32(00000000), ref: 0040BED0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$File$FirstNext
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 3527384056-432212279
                                          • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                          • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                          • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                          • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                          Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4B9
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                          • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                          • API String ID: 3756808967-1743721670
                                          • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                          • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                          • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                          • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                          Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0$1$2$3$4$5$6$7$VG
                                          • API String ID: 0-1861860590
                                          • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                          • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                          • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                          • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                          Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00407521
                                          • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Object_wcslen
                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                          • API String ID: 240030777-3166923314
                                          • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                          • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                          • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                          • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                          Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                          • GetLastError.KERNEL32 ref: 0041A7BB
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                          • String ID:
                                          • API String ID: 3587775597-0
                                          • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                          • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                          • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                          • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                          Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                          • FindClose.KERNEL32(00000000), ref: 0040C47D
                                          • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 1164774033-405221262
                                          • Opcode ID: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                          • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                          • Opcode Fuzzy Hash: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                          • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                          Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                            • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                          • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID:
                                          • API String ID: 2341273852-0
                                          • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                          • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                          • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                          • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                          Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$CreateFirstNext
                                          • String ID: 8SG$PXG$PXG$NG$PG
                                          • API String ID: 341183262-3812160132
                                          • Opcode ID: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                          • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                          • Opcode Fuzzy Hash: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                          • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                          Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                          • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                          • GetLastError.KERNEL32 ref: 0040A2ED
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                          • TranslateMessage.USER32(?), ref: 0040A34A
                                          • DispatchMessageA.USER32(?), ref: 0040A355
                                          Strings
                                          • Keylogger initialization failure: error , xrefs: 0040A301
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                          • String ID: Keylogger initialization failure: error
                                          • API String ID: 3219506041-952744263
                                          • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                          • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                          • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                          • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                          Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0040A416
                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                          • GetKeyState.USER32(00000010), ref: 0040A433
                                          • GetKeyboardState.USER32(?), ref: 0040A43E
                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                          • String ID:
                                          • API String ID: 1888522110-0
                                          • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                          • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                          • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                          • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                          Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                            • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                            • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                            • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                            • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                          • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                          • API String ID: 1589313981-2876530381
                                          • Opcode ID: 7d52df1408e09a8eb3982e7da52f878f0a451a5f56a7a2098f3d013e22341463
                                          • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                          • Opcode Fuzzy Hash: 7d52df1408e09a8eb3982e7da52f878f0a451a5f56a7a2098f3d013e22341463
                                          • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                          Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                          • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                          Strings
                                          • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleOpen$FileRead
                                          • String ID: http://geoplugin.net/json.gp
                                          • API String ID: 3121278467-91888290
                                          • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                          • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                          • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                          • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                          Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                          • GetLastError.KERNEL32 ref: 0040BA58
                                          Strings
                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                          • [Chrome StoredLogins not found], xrefs: 0040BA72
                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                          • UserProfile, xrefs: 0040BA1E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                          • API String ID: 2018770650-1062637481
                                          • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                          • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                          • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                          • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                          Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                          • GetLastError.KERNEL32 ref: 0041799D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                          • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                          • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                          • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                          Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00409258
                                            • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                          • FindClose.KERNEL32(00000000), ref: 004093C1
                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                          • FindClose.KERNEL32(00000000), ref: 004095B9
                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                          • String ID:
                                          • API String ID: 1824512719-0
                                          • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                          • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                          • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                          • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                          Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                          • String ID:
                                          • API String ID: 276877138-0
                                          • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                          • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                          • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                          • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                          Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                            • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                            • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                          • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                          • ExitProcess.KERNEL32 ref: 0040F8CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                          • String ID: 5.1.0 Pro$override$pth_unenc
                                          • API String ID: 2281282204-182549033
                                          • Opcode ID: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                          • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                          • Opcode Fuzzy Hash: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                          • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                          Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                                          • GetACP.KERNEL32 ref: 00452513
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                          • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                          • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                          • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                          Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                          • wsprintfW.USER32 ref: 0040B1F3
                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventLocalTimewsprintf
                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                          • API String ID: 1497725170-248792730
                                          • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                          • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                          • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                          • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                          Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                          • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                          • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                          • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID: SETTINGS
                                          • API String ID: 3473537107-594951305
                                          • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                          • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                          • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                          • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                          Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040966A
                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstH_prologNext
                                          • String ID:
                                          • API String ID: 1157919129-0
                                          • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                          • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                          • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                          • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                          Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                          • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                                          • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                          • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                          • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID:
                                          • API String ID: 745075371-0
                                          • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                          • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                          • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                          • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                          Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00408811
                                          • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                          • String ID:
                                          • API String ID: 1771804793-0
                                          • Opcode ID: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                          • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                          • Opcode Fuzzy Hash: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                          • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                          Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNextsend
                                          • String ID: XPG$XPG
                                          • API String ID: 4113138495-1962359302
                                          • Opcode ID: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                          • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                          • Opcode Fuzzy Hash: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                          • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                          Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                            • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                            • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                            • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateInfoParametersSystemValue
                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                          • API String ID: 4127273184-3576401099
                                          • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                          • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                          • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                          • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                          Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                          • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                          • ExitProcess.KERNEL32 ref: 004432EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID: PkGNG
                                          • API String ID: 1703294689-263838557
                                          • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                          • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                          • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                          • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                          Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                                          • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                          • _wcschr.LIBVCRUNTIME ref: 00451E58
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                          • String ID:
                                          • API String ID: 4212172061-0
                                          • Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                          • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                          • Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                          • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                          Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 004493BD
                                            • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                          • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                                          • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                                          • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                          • String ID:
                                          • API String ID: 806657224-0
                                          • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                          • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                                          • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                          • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                                          Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: PkGNG
                                          • API String ID: 0-263838557
                                          • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                          • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                          • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                          • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                          Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID:
                                          • API String ID: 2829624132-0
                                          • Opcode ID: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                          • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                          • Opcode Fuzzy Hash: efce462eab54bf8eb2a2b6f9a4d43eb8e53eecd25de09d2246b00390d92e3d5e
                                          • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                          Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                          • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                          • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                          • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                          Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Crypt$Context$AcquireRandomRelease
                                          • String ID:
                                          • API String ID: 1815803762-0
                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                          • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                          Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(00000000), ref: 0040B711
                                          • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                          • CloseClipboard.USER32 ref: 0040B725
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseDataOpen
                                          • String ID:
                                          • API String ID: 2058664381-0
                                          • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                          • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                          • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                          • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                          Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-3916222277
                                          • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                          • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                          • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                          • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                          Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx
                                          • API String ID: 2299586839-2904428671
                                          • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                          • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                          • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                          • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                          Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                          • HeapFree.KERNEL32(00000000), ref: 004120EE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$FreeProcess
                                          • String ID:
                                          • API String ID: 3859560861-0
                                          • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                          • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                          • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                          • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                          Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID:
                                          • API String ID: 1663032902-0
                                          • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                          • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                          • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                          • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                          Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                          • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                          • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                          • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                          Function 00452036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • EnumSystemLocalesW.KERNEL32(00452313,00000001), ref: 00452082
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                          • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                          • Opcode Fuzzy Hash: 80e5df12ac25632c7280d140c15a53509e07ecbf1c9f73c72f1a6f69193256f5
                                          • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                          Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                          • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                          • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                          • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                          Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                          • EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                          • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                          • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                          • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                          Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                          • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                          Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                          • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                          • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                          • Instruction Fuzzy Hash:
                                          Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                          • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                          • ResumeThread.KERNEL32(?), ref: 00418435
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                          • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                          • GetLastError.KERNEL32 ref: 0041847A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                          • API String ID: 4188446516-3035715614
                                          • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                          • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                          • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                          • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                          Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                          • ExitProcess.KERNEL32 ref: 0040D7D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                          • API String ID: 1861856835-332907002
                                          • Opcode ID: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                          • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                          • Opcode Fuzzy Hash: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                          • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                          Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                            • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                            • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                          • ExitProcess.KERNEL32 ref: 0040D419
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                          • API String ID: 3797177996-2557013105
                                          • Opcode ID: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                          • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                          • Opcode Fuzzy Hash: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                          • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                          Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                          • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                          • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                          • GetCurrentProcessId.KERNEL32 ref: 00412541
                                          • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                          • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                            • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                          • Sleep.KERNEL32(000001F4), ref: 00412682
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                          • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                          • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                                          • API String ID: 2649220323-436679193
                                          • Opcode ID: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                          • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                          • Opcode Fuzzy Hash: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                          • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                          Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                          • SetEvent.KERNEL32 ref: 0041B219
                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                          • CloseHandle.KERNEL32 ref: 0041B23A
                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                          • API String ID: 738084811-2094122233
                                          • Opcode ID: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                          • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                          • Opcode Fuzzy Hash: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                          • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Write$Create
                                          • String ID: RIFF$WAVE$data$fmt
                                          • API String ID: 1602526932-4212202414
                                          • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                          • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                          • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                          • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                          Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000001,0040764D,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                          • API String ID: 1646373207-1454343488
                                          • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                          • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                          • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                          • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                          Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 0041C036
                                          • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                          • lstrlenW.KERNEL32(?), ref: 0041C067
                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                          • _wcslen.LIBCMT ref: 0041C13B
                                          • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                          • GetLastError.KERNEL32 ref: 0041C173
                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                          • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                          • GetLastError.KERNEL32 ref: 0041C1D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                          • String ID: ?
                                          • API String ID: 3941738427-1684325040
                                          • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                          • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                          • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                          • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                          Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$EnvironmentVariable$_wcschr
                                          • String ID:
                                          • API String ID: 3899193279-0
                                          • Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                          • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                          • Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                          • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                          Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                          • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                          • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                          • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                          • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                          • Sleep.KERNEL32(00000064), ref: 00412E94
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                          • String ID: /stext "$0TG$0TG$NG$NG
                                          • API String ID: 1223786279-2576077980
                                          • Opcode ID: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                          • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                          • Opcode Fuzzy Hash: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                          • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                          Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                          • GetCursorPos.USER32(?), ref: 0041D5E9
                                          • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                          • ExitProcess.KERNEL32 ref: 0041D665
                                          • CreatePopupMenu.USER32 ref: 0041D66B
                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                          • String ID: Close
                                          • API String ID: 1657328048-3535843008
                                          • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                          • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                          • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                          • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                          Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID:
                                          • API String ID: 2509303402-0
                                          • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                          • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                          • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                          • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                          Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                          • __aulldiv.LIBCMT ref: 00408D4D
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                          • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                          • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                          • API String ID: 3086580692-2582957567
                                          • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                          • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                          • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                          • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                          Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00001388), ref: 0040A740
                                            • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                            • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                            • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                            • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                          • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                          • API String ID: 3795512280-1152054767
                                          • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                          • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                          • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                          • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                          Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • connect.WS2_32(?,?,?), ref: 004048E0
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                          • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                          • API String ID: 994465650-3229884001
                                          • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                          • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                          • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                          • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                          Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 0045130A
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                            • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                          • _free.LIBCMT ref: 004512FF
                                            • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                          • _free.LIBCMT ref: 00451321
                                          • _free.LIBCMT ref: 00451336
                                          • _free.LIBCMT ref: 00451341
                                          • _free.LIBCMT ref: 00451363
                                          • _free.LIBCMT ref: 00451376
                                          • _free.LIBCMT ref: 00451384
                                          • _free.LIBCMT ref: 0045138F
                                          • _free.LIBCMT ref: 004513C7
                                          • _free.LIBCMT ref: 004513CE
                                          • _free.LIBCMT ref: 004513EB
                                          • _free.LIBCMT ref: 00451403
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                          • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                          Function 0041C6F3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                                          • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumOpen
                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                          • API String ID: 1332880857-3730529168
                                          • Opcode ID: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                          • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                                          • Opcode Fuzzy Hash: 9acb91869caa52ba962ff5e9cffe7dbf008cca4ae8889db815e50d5881a9b18e
                                          • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                                          Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                            • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                            • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                            • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                            • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                          • ExitProcess.KERNEL32 ref: 0040D9C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                          • API String ID: 1913171305-3159800282
                                          • Opcode ID: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                          • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                          • Opcode Fuzzy Hash: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                          • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                          Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                          • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                          • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                          • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                          Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                          • GetLastError.KERNEL32 ref: 00455CEF
                                          • __dosmaperr.LIBCMT ref: 00455CF6
                                          • GetFileType.KERNEL32(00000000), ref: 00455D02
                                          • GetLastError.KERNEL32 ref: 00455D0C
                                          • __dosmaperr.LIBCMT ref: 00455D15
                                          • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                          • CloseHandle.KERNEL32(?), ref: 00455E7F
                                          • GetLastError.KERNEL32 ref: 00455EB1
                                          • __dosmaperr.LIBCMT ref: 00455EB8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                          • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                          • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                          • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                          Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                          • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                          • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                          • __freea.LIBCMT ref: 0044AE30
                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                          • __freea.LIBCMT ref: 0044AE39
                                          • __freea.LIBCMT ref: 0044AE5E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                          • String ID: $C$PkGNG
                                          • API String ID: 3864826663-3740547665
                                          • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                          • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                          • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                          • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                          Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: \&G$\&G$`&G
                                          • API String ID: 269201875-253610517
                                          • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                          • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                          • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                          • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                          Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 65535$udp
                                          • API String ID: 0-1267037602
                                          • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                          • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                          • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                          • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                          Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040AD38
                                          • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                          • GetForegroundWindow.USER32 ref: 0040AD49
                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                          • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                          • String ID: [${ User has been idle for $ minutes }$]
                                          • API String ID: 911427763-3954389425
                                          • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                          • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                          • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                          • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                          Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                          • __dosmaperr.LIBCMT ref: 0043A8A6
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                          • __dosmaperr.LIBCMT ref: 0043A8E3
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                          • __dosmaperr.LIBCMT ref: 0043A937
                                          • _free.LIBCMT ref: 0043A943
                                          • _free.LIBCMT ref: 0043A94A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                          • String ID:
                                          • API String ID: 2441525078-0
                                          • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                          • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                          • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                          • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                          • TranslateMessage.USER32(?), ref: 0040557E
                                          • DispatchMessageA.USER32(?), ref: 00405589
                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                          • API String ID: 2956720200-749203953
                                          • Opcode ID: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                          • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                          • Opcode Fuzzy Hash: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                          • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                          Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                          • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                          • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                          • String ID: 0VG$0VG$<$@$Temp
                                          • API String ID: 1704390241-2575729100
                                          • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                          • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                          • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                          • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                          Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 00416941
                                          • EmptyClipboard.USER32 ref: 0041694F
                                          • CloseClipboard.USER32 ref: 00416955
                                          • OpenClipboard.USER32 ref: 0041695C
                                          • GetClipboardData.USER32(0000000D), ref: 0041696C
                                          • GlobalLock.KERNEL32(00000000), ref: 00416975
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                          • CloseClipboard.USER32 ref: 00416984
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                          • String ID: !D@
                                          • API String ID: 2172192267-604454484
                                          • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                          • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                          • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                          • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                          Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                          • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                          • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                          • CloseHandle.KERNEL32(?), ref: 00413465
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                          • String ID:
                                          • API String ID: 297527592-0
                                          • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                          • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                          • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                          • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                          Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                          • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                          • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                          • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                          Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00448135
                                            • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                          • _free.LIBCMT ref: 00448141
                                          • _free.LIBCMT ref: 0044814C
                                          • _free.LIBCMT ref: 00448157
                                          • _free.LIBCMT ref: 00448162
                                          • _free.LIBCMT ref: 0044816D
                                          • _free.LIBCMT ref: 00448178
                                          • _free.LIBCMT ref: 00448183
                                          • _free.LIBCMT ref: 0044818E
                                          • _free.LIBCMT ref: 0044819C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                          • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                          • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                          • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                          Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Eventinet_ntoa
                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                          • API String ID: 3578746661-3604713145
                                          • Opcode ID: 63dff2fd752418fa4a45836bec1d77816f695f6a23f7f7b31758766d03edbebb
                                          • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                          • Opcode Fuzzy Hash: 63dff2fd752418fa4a45836bec1d77816f695f6a23f7f7b31758766d03edbebb
                                          • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                          Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                          • __fassign.LIBCMT ref: 0044B479
                                          • __fassign.LIBCMT ref: 0044B494
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                          • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID: PkGNG
                                          • API String ID: 1324828854-263838557
                                          • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                          • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                          • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                          • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                          Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                          • Sleep.KERNEL32(00000064), ref: 00417521
                                          • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateDeleteExecuteShellSleep
                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                          • API String ID: 1462127192-2001430897
                                          • Opcode ID: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                          • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                          • Opcode Fuzzy Hash: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                          • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                          Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe), ref: 0040749E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CurrentProcess
                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                          • API String ID: 2050909247-4242073005
                                          • Opcode ID: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                          • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                          • Opcode Fuzzy Hash: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                          • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strftime.LIBCMT ref: 00401D50
                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                          • API String ID: 3809562944-243156785
                                          • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                          • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                          • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                          • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                          • waveInStart.WINMM ref: 00401CFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                          • String ID: dMG$|MG$PG
                                          • API String ID: 1356121797-532278878
                                          • Opcode ID: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                                          • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                          • Opcode Fuzzy Hash: 993692589c413c6f5f0556b0fca4e76cf40985a39ae9ebd2fae1836bdcb2a895
                                          • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                          Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                            • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                            • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                            • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                          • TranslateMessage.USER32(?), ref: 0041D4E9
                                          • DispatchMessageA.USER32(?), ref: 0041D4F3
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                          • String ID: Remcos
                                          • API String ID: 1970332568-165870891
                                          • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                          • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                          • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                          • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                          Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                          • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                          • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                          • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                          Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                            • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                            • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                            • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                          • _memcmp.LIBVCRUNTIME ref: 00445423
                                          • _free.LIBCMT ref: 00445494
                                          • _free.LIBCMT ref: 004454AD
                                          • _free.LIBCMT ref: 004454DF
                                          • _free.LIBCMT ref: 004454E8
                                          • _free.LIBCMT ref: 004454F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast$_abort_memcmp
                                          • String ID: C
                                          • API String ID: 1679612858-1037565863
                                          • Opcode ID: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                          • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                          • Opcode Fuzzy Hash: a8f4e868e6027df86e14abe5e970da0ea11d1bbd4f9432e493711607e9b70df4
                                          • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                          Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tcp$udp
                                          • API String ID: 0-3725065008
                                          • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                          • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                          • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                          • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                          Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                          • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                          • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                            • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                          • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                          • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                          • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                            • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                            • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                          • String ID: t^F
                                          • API String ID: 3950776272-389975521
                                          • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                          • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                          • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                          • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                          • ExitThread.KERNEL32 ref: 004018F6
                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                          • String ID: PkG$XMG$NG$NG
                                          • API String ID: 1649129571-3151166067
                                          • Opcode ID: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                          • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                          • Opcode Fuzzy Hash: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                          • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                          Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                          • String ID: .part
                                          • API String ID: 1303771098-3499674018
                                          • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                          • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                          • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                          • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                          Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                          • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InputSend
                                          • String ID:
                                          • API String ID: 3431551938-0
                                          • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                          • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                          • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                          • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                          Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16_free
                                          • String ID: a/p$am/pm$zD
                                          • API String ID: 2936374016-2723203690
                                          • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                          • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                          • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                          • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                          Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Enum$InfoQueryValue
                                          • String ID: [regsplt]$xUG$TG
                                          • API String ID: 3554306468-1165877943
                                          • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                          • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                          • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                          • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                          Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                            • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                            • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                          • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumInfoOpenQuerysend
                                          • String ID: xUG$NG$NG$TG
                                          • API String ID: 3114080316-2811732169
                                          • Opcode ID: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                          • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                          • Opcode Fuzzy Hash: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                          • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                          Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                          • __alloca_probe_16.LIBCMT ref: 004511B1
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                          • __freea.LIBCMT ref: 0045121D
                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID: PkGNG
                                          • API String ID: 313313983-263838557
                                          • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                          • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                          • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                          • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                          Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                            • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                            • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                          • _wcslen.LIBCMT ref: 0041B763
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                          • API String ID: 37874593-122982132
                                          • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                          • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                          • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                          • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                          Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                          • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                          • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                          • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                          Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                          • int.LIBCPMT ref: 00411183
                                            • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                            • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                          • std::_Facet_Register.LIBCPMT ref: 004111C3
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                          • String ID: (mG
                                          • API String ID: 2536120697-4059303827
                                          • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                          • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                          • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                          • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                          Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                          • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                          • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                          • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                          • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                          Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe), ref: 004075D0
                                            • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                            • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                          • CoUninitialize.OLE32 ref: 00407629
                                          Strings
                                          • [+] ShellExec success, xrefs: 0040760E
                                          • [+] before ShellExec, xrefs: 004075F1
                                          • C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, xrefs: 004075B0, 004075B3, 00407605
                                          • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeObjectUninitialize_wcslen
                                          • String ID: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                          • API String ID: 3851391207-3940446671
                                          • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                          • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                          • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                          • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                          Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                          • GetLastError.KERNEL32 ref: 0040BAE7
                                          Strings
                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                          • [Chrome Cookies not found], xrefs: 0040BB01
                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                          • UserProfile, xrefs: 0040BAAD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                          • API String ID: 2018770650-304995407
                                          • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                          • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                          • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                          • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                          Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                          • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$PkGNG$mscoree.dll
                                          • API String ID: 4061214504-213444651
                                          • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                          • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                          • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                          • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                          Function 00444048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00444066
                                            • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                          • _free.LIBCMT ref: 00444078
                                          • _free.LIBCMT ref: 0044408B
                                          • _free.LIBCMT ref: 0044409C
                                          • _free.LIBCMT ref: 004440AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID: N
                                          • API String ID: 776569668-1689755984
                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                          • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                          Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 0043AC69
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                          • __allrem.LIBCMT ref: 0043AC9C
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                          • __allrem.LIBCMT ref: 0043ACD1
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                          • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                          • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                          • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prologSleep
                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                          • API String ID: 3469354165-3054508432
                                          • Opcode ID: e2d5ac86fcfe21acd8ba2f579f05d6c4b7ac4be7400216cbb6f14c0a350a1ada
                                          • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                          • Opcode Fuzzy Hash: e2d5ac86fcfe21acd8ba2f579f05d6c4b7ac4be7400216cbb6f14c0a350a1ada
                                          • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                          Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                          • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                          • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                          • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                          Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                          • String ID:
                                          • API String ID: 493672254-0
                                          • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                          • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                          • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                          • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                          Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm$_strrchr
                                          • String ID: PkGNG
                                          • API String ID: 1036877536-263838557
                                          • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                          • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                          • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                          • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                          Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                          • _free.LIBCMT ref: 0044824C
                                          • _free.LIBCMT ref: 00448274
                                          • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                          • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                          • _abort.LIBCMT ref: 00448293
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                          • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                          • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                          • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                          Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                          • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                          • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                          • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                          Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                          • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                          • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                          • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                          Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                          • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                          • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                          • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                          Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: PkGNG
                                          • API String ID: 0-263838557
                                          • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                          • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                          • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                          • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                          Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                          • CloseHandle.KERNEL32(?), ref: 00404DDB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                          • String ID: PkGNG
                                          • API String ID: 3360349984-263838557
                                          • Opcode ID: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                          • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                          • Opcode Fuzzy Hash: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                          • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                          Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe,00000104), ref: 00443475
                                          • _free.LIBCMT ref: 00443540
                                          • _free.LIBCMT ref: 0044354A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe$N
                                          • API String ID: 2506810119-1252214139
                                          • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                          • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                          • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                          • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                          Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                          • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleSizeSleep
                                          • String ID: XQG
                                          • API String ID: 1958988193-3606453820
                                          • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                          • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                          • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                          • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                          Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                          • GetLastError.KERNEL32 ref: 0041D580
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ClassCreateErrorLastRegisterWindow
                                          • String ID: 0$MsgWindowClass
                                          • API String ID: 2877667751-2410386613
                                          • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                          • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                          • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                          • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                          Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                          • CloseHandle.KERNEL32(?), ref: 004077AA
                                          • CloseHandle.KERNEL32(?), ref: 004077AF
                                          Strings
                                          • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                          • API String ID: 2922976086-4183131282
                                          • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                          • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                          • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                          • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                          Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          • C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe, xrefs: 004076C4
                                          • SG, xrefs: 004076DA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: SG$C:\Users\user\Desktop\Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exe
                                          • API String ID: 0-3819047903
                                          • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                          • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                          • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                          • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                          • SetEvent.KERNEL32(?), ref: 0040512C
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                          • CloseHandle.KERNEL32(?), ref: 00405140
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                          • String ID: KeepAlive | Disabled
                                          • API String ID: 2993684571-305739064
                                          • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                          • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                          • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                          • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                          Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                          • Sleep.KERNEL32(00002710), ref: 0041AE07
                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                          • String ID: Alarm triggered
                                          • API String ID: 614609389-2816303416
                                          • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                          • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                          • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                          • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                          Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                          Strings
                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                          • API String ID: 3024135584-2418719853
                                          • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                          • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                          • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                          • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                          Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                          • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                          • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                          • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                          Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                          • _free.LIBCMT ref: 00444E06
                                          • _free.LIBCMT ref: 00444E1D
                                          • _free.LIBCMT ref: 00444E3C
                                          • _free.LIBCMT ref: 00444E57
                                          • _free.LIBCMT ref: 00444E6E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID:
                                          • API String ID: 3033488037-0
                                          • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                          • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                          • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                          • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                          Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                            • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                            • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 4269425633-0
                                          • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                          • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                          • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                          • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                          Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                          • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                          • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                          • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                          Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                            • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                          • _free.LIBCMT ref: 0044F3BF
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                          • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                          • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                          • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                          Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreatePointerWrite
                                          • String ID:
                                          • API String ID: 1852769593-0
                                          • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                          • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                          • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                          • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                          Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                          • _free.LIBCMT ref: 004482D3
                                          • _free.LIBCMT ref: 004482FA
                                          • SetLastError.KERNEL32(00000000), ref: 00448307
                                          • SetLastError.KERNEL32(00000000), ref: 00448310
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                          • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                          • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                          • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                          Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 004509D4
                                            • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                            • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                          • _free.LIBCMT ref: 004509E6
                                          • _free.LIBCMT ref: 004509F8
                                          • _free.LIBCMT ref: 00450A0A
                                          • _free.LIBCMT ref: 00450A1C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                          • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                          Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: PkGNG
                                          • API String ID: 0-263838557
                                          • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                          • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                          • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                          • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                          Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountEventTick
                                          • String ID: !D@$NG
                                          • API String ID: 180926312-2721294649
                                          • Opcode ID: 4daf5ccc38b2bdb6d01829a919c108342988d57c8adc146389efe19ffd310691
                                          • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                          • Opcode Fuzzy Hash: 4daf5ccc38b2bdb6d01829a919c108342988d57c8adc146389efe19ffd310691
                                          • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                          Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: `#D$`#D
                                          • API String ID: 885266447-2450397995
                                          • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                          • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                          • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                          • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                          Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                          • GetLastError.KERNEL32 ref: 0044B931
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorFileLastMultiWideWrite
                                          • String ID: PkGNG
                                          • API String ID: 2456169464-263838557
                                          • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                          • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                          • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                          • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                            • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                            • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                            • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                          • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                          • String ID: /sort "Visit Time" /stext "$0NG
                                          • API String ID: 368326130-3219657780
                                          • Opcode ID: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                          • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                          • Opcode Fuzzy Hash: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                          • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                          Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 004162F5
                                            • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                            • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                            • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                            • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen$CloseCreateValue
                                          • String ID: !D@$okmode$PG
                                          • API String ID: 3411444782-3370592832
                                          • Opcode ID: 4953b4e4a8c13c8acb6e7384e138a9f0719d67908b9bf54edc95309011813b1f
                                          • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                          • Opcode Fuzzy Hash: 4953b4e4a8c13c8acb6e7384e138a9f0719d67908b9bf54edc95309011813b1f
                                          • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                          Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                          Strings
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                          • User Data\Default\Network\Cookies, xrefs: 0040C603
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                          • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                          • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                          • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                          Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                          Strings
                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                          • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                          • API String ID: 1174141254-1980882731
                                          • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                          • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                          • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                          • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                          Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                          • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                          • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTimewsprintf
                                          • String ID: Offline Keylogger Started
                                          • API String ID: 465354869-4114347211
                                          • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                          • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                          • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                          • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                          Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                          • API String ID: 481472006-3277280411
                                          • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                          • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                          • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                          • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                          Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: CryptUnprotectData$crypt32
                                          • API String ID: 2574300362-2380590389
                                          • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                          • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                          • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                          • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                          Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                          • GetLastError.KERNEL32 ref: 0044C296
                                          • __dosmaperr.LIBCMT ref: 0044C29D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFileLastPointer__dosmaperr
                                          • String ID: PkGNG
                                          • API String ID: 2336955059-263838557
                                          • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                          • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                          • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                          • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandleObjectSingleWait
                                          • String ID: Connection Timeout
                                          • API String ID: 2055531096-499159329
                                          • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                          • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                          • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                          • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                          Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throw
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 2005118841-1866435925
                                          • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                          • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                          • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                          • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                          Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                          • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FormatFreeLocalMessage
                                          • String ID: @J@$PkGNG
                                          • API String ID: 1427518018-1416487119
                                          • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                          • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                          • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                          • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                          Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                          • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                          • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: Control Panel\Desktop
                                          • API String ID: 1818849710-27424756
                                          • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                          • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                          • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                          • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                          Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                          • ShowWindow.USER32(00000009), ref: 00416C61
                                          • SetForegroundWindow.USER32 ref: 00416C6D
                                            • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                            • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                            • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                          • String ID: !D@
                                          • API String ID: 3446828153-604454484
                                          • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                          • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                          • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                          • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                          Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: /C $cmd.exe$open
                                          • API String ID: 587946157-3896048727
                                          • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                          • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                          • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                          • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: GetCursorInfo$User32.dll
                                          • API String ID: 1646373207-2714051624
                                          • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                          • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                          • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                          • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetLastInputInfo$User32.dll
                                          • API String ID: 2574300362-1519888992
                                          • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                          • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                          • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                          • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                          Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                          • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                          • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                          • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                          Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                          • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                          • API String ID: 3472027048-1236744412
                                          • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                          • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                          • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                          • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                          Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                            • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                            • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                          • Sleep.KERNEL32(000001F4), ref: 0040A573
                                          • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$ForegroundLength
                                          • String ID: [ $ ]
                                          • API String ID: 3309952895-93608704
                                          • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                          • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                          • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                          • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                          Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                          • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                          • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                          • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                          Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                          • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                          • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                          • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                          Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                          • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                          • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                          • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                          • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                          Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                          • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 3919263394-0
                                          • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                          • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                          • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                          • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                          Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleOpenProcess
                                          • String ID:
                                          • API String ID: 39102293-0
                                          • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                          • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                          • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                          • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                          Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                            • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                          • _UnwindNestedFrames.LIBCMT ref: 00439891
                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                          • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                          • String ID:
                                          • API String ID: 2633735394-0
                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                          • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                          Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                          • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                          • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                          • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MetricsSystem
                                          • String ID:
                                          • API String ID: 4116985748-0
                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                          • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                          Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                          • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                          • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                          • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                          Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                          • __Init_thread_footer.LIBCMT ref: 0040B797
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                          • API String ID: 1881088180-3686566968
                                          • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                          • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                          • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                          • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                          Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ACP$OCP
                                          • API String ID: 0-711371036
                                          • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                          • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                          • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                          • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                          Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                          • GetLastError.KERNEL32 ref: 0044B804
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFileLastWrite
                                          • String ID: PkGNG
                                          • API String ID: 442123175-263838557
                                          • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                          • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                          • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                          • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                          Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                          • GetLastError.KERNEL32 ref: 0044B716
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFileLastWrite
                                          • String ID: PkGNG
                                          • API String ID: 442123175-263838557
                                          • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                          • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                          • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                          • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                          Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32 ref: 00416640
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadFileSleep
                                          • String ID: !D@
                                          • API String ID: 1931167962-604454484
                                          • Opcode ID: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                          • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                          • Opcode Fuzzy Hash: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                          • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                          Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: alarm.wav$hYG
                                          • API String ID: 1174141254-2782910960
                                          • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                          • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                          • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                          • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                          Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                            • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                            • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                          • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                          • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                          • String ID: Online Keylogger Stopped
                                          • API String ID: 1623830855-1496645233
                                          • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                          • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                          • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                          • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                          Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: String
                                          • String ID: LCMapStringEx$PkGNG
                                          • API String ID: 2568140703-1065776982
                                          • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                          • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                          • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                          • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                          • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferHeaderPrepare
                                          • String ID: XMG
                                          • API String ID: 2315374483-813777761
                                          • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                          • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                          Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocaleValid
                                          • String ID: IsValidLocaleName$JD
                                          • API String ID: 1901932003-2234456777
                                          • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                          • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                          • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                          • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                          Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                          • API String ID: 1174141254-4188645398
                                          • Opcode ID: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                          • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                          • Opcode Fuzzy Hash: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                          • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                          Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                          • API String ID: 1174141254-2800177040
                                          • Opcode ID: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                          • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                          • Opcode Fuzzy Hash: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                          • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                          Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: AppData$\Opera Software\Opera Stable\
                                          • API String ID: 1174141254-1629609700
                                          • Opcode ID: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                          • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                          • Opcode Fuzzy Hash: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                          • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                          Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000011), ref: 0040B64B
                                            • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                            • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                            • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                            • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                            • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                            • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                            • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                          • String ID: [AltL]$[AltR]
                                          • API String ID: 2738857842-2658077756
                                          • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                          • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                          • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                          • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                          Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                          • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: uD
                                          • API String ID: 0-2547262877
                                          • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                          • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                          • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                          • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                          Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$FileSystem
                                          • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                          • API String ID: 2086374402-949981407
                                          • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                          • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                          • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                          • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                          Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: !D@$open
                                          • API String ID: 587946157-1586967515
                                          • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                          • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                          • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                          • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                          Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___initconout.LIBCMT ref: 0045555B
                                            • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                          • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ConsoleCreateFileWrite___initconout
                                          • String ID: PkGNG
                                          • API String ID: 3087715906-263838557
                                          • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                          • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                          • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                          • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                          Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000012), ref: 0040B6A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State
                                          • String ID: [CtrlL]$[CtrlR]
                                          • API String ID: 1649606143-2446555240
                                          • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                          • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                          • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                          • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                          Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                          • __Init_thread_footer.LIBCMT ref: 00410F29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Init_thread_footer__onexit
                                          • String ID: ,kG$0kG
                                          • API String ID: 1881088180-2015055088
                                          • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                          • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                          • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                          • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                          Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                          • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteOpenValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 2654517830-1051519024
                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                          • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                          Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                          • GetLastError.KERNEL32 ref: 00440D35
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast
                                          • String ID:
                                          • API String ID: 1717984340-0
                                          • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                          • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                          • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                          • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                          Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C58
                                          • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                          • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1713258718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_400000_Doc089776867565357609 - EVER ATOP V.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastRead
                                          • String ID:
                                          • API String ID: 4100373531-0
                                          • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                          • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                          • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                          • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99